Re: Save me from my stupidity
From: stefanT (stefanT_at_discussions.microsoft.com)
Date: 12/30/04
- Next message: Bob McCoy [MSFT]: "Re: Verifying product key"
- Previous message: Jupiter Jones [MVP]: "Re: Verifying product key"
- In reply to: Roger Abell: "Re: Save me from my stupidity"
- Next in thread: Roger Abell: "Re: Save me from my stupidity"
- Reply: Roger Abell: "Re: Save me from my stupidity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Dec 2004 10:21:03 -0800
99.9% sure. However, to be certain, via the network C drive share I removed
'Everyone', added 'AuthenticatedUsers' and set the permissions to:
Adminstrators : deny full
System : deny full
AuthenticatedUsers : deny full
The sub-directories and contents were also explicitly set to deny full for
all three.
The deny full for A-Users worked because I could no longer access the
GroupPolicy directory so I guess the same applies to Admins.
Despite this, I could still not login locally.
If, from what you say, this fix should work, there must be something
anomolous with the system. Just to recapitulate, it's running W2k-Pro - no
SPs and was setup as a Workgroup PC. The only change I made was to deny
local login to group Users. I attempted to do a repair re-install at which
point I changed it to a Domain PC to try and login to the domain, but the
re-install did not complete and I had to reboot. The machine came back up OK
with only the local login prompt.
The login authentication seems to be OK since an incorrect user or password
produces a normal logon failure message.
The only thing I have observed whenever I tried to login was that the sam &
sam.log files in sys32/config are updated.
If this fix cannot be made to work, would there be another way to approach
it if I did a parallel installation - say by copying the relevent files from
that installation? I rather get the feeling that this problem is going to
take some experimenting in order to locate the cause. My problem is, I know
virtually nothing about the inner workings in order to do this. At the end
of the day, I can always do a full re-install, tho' I'd rather avoid this if
I can. What I don't want to do is waste your time on what could be a
fruitless chase - so if you want to sign off on this then go ahead - I'll
understand. I spent several years providing international support at the end
of a telephone so I know what a bummer this kind of thing can be.
StefanT
"Roger Abell" wrote:
> Windows 2000 and earlier did not set NTFS permissions on
> directories that were from upgrade installs, or converted to
> NTFS from FAT.
> The registry part of what you were saying is behind the scenes.
> What is important is the the system32\GroupPolicy folder is
> not readable by the account logging in so that policy will not
> be applied to it. I have never had someone not have this work
> for them when in your situation, at least as I hear your description
> of the situation. 100% success until now. So, are you sure that
> the Deny of full control for administrators was saved, and perhaps
> check that it propagated onto the contents of the folder.
> The "normal" permissions for the folder in Windows 2000 (server)
> are grants of Administrators Full ; SYSTEM Full; and Authenticated
> Users Read&Execute (and so List+Read)
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "stefanT" <stefanT@discussions.microsoft.com> wrote in message
> news:C9ADAD1D-1D45-4565-9BBE-C79F4E029C6F@microsoft.com...
> > OK. take #2
> >
> > I find I can access via the network after all. So I navigate to
> > sysroot/sys32/GroupPolicy and set Deny on full for Administrators. I've
> not
> > logged in locally yet so I give it a try. No joy. I reboot the machine
> and
> > try again - still no joy. Same logon message - 'local policy does not
> permit
> > interactive logon'. Any thoughts?
> >
> > What should the permissions be on this directory? Mine show
> > Admins : allow unset ; deny unset
> > System : allow unset ; deny unset
> > Everyone : allow full ; deny unset
> >
>>snip
- Next message: Bob McCoy [MSFT]: "Re: Verifying product key"
- Previous message: Jupiter Jones [MVP]: "Re: Verifying product key"
- In reply to: Roger Abell: "Re: Save me from my stupidity"
- Next in thread: Roger Abell: "Re: Save me from my stupidity"
- Reply: Roger Abell: "Re: Save me from my stupidity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
