Windows 2003 Problem with Group Policy for Services Startup and Permissions

From: mike.hubenschmidt@xxxxxxxx
Date: 27 Apr 2006 04:27:35 -0700

We just finished assisting microsoft with an issue that I feel needs to
be put out there due to lack of information on the topic. Even though
its a unique scenario. In a nutshell here is the problem.

All of our windows 2000 workstations in our enterprise lost their
ability to have the local system accounts (interactive, network
services, and system) from manipulating certain services. This stopped
us from installing programs or making changes to the system that
require these permissions. The main one being the latest version of
SMS 2003 SP2 client. It would not finish the unattended install due to
a permissions error on the 2000 workstations.

We did originally have a domain level policy that removed everyone's
rights to stop, or change the BITS, Automatic Updates, Netlogon, and
SMS host services. But knowing that this existed, we disabled it by
using several means, starting with unchecking the services inside the
policy and ending with deleting the policy from the Domain completely.
We forced the updates on the workstations with enforce, made many
reboots, etc etc etc. To no avail we were still having problems. I
then thought hmm, a possible dare I say "anomaly?". I created a brand
new policy and reconfigured the affected "services" and manually added
all the permissions back. BOOM, all was well.
SO here is the bottom line if you remove or modify the permissions via
a 2003 group policy, push it out to all your clients, and then disable
said policy, the ACL's/Perms for the services stay and do not get
reverted back to their defaults until a new one is pushed. As you can
see, this could potentially be VERY detrimental in an enterprise and
extremely difficult to diagnose. Microsoft is testing it now to
recreate the issue for a specific resolution path.

Enjoy.

.

Prev by Date: Re: Security of a Windows 2003 VPN Question
Next by Date: Re: Start and Stop Services Remotely Under Non-Administrative User
Previous by thread: Re: Security of a Windows 2003 VPN Question
Next by thread: Problems with authentication and using alias to the local machine
Index(es):
- Date
- Thread

Relevant Pages

RE: BITS 2.0 Install Fails - Permission problem
... I initially had the same problem and discovered it was a group policy on the ... Administrator permissions set. ... the workstations. ... > the local administrators group. ...
(microsoft.public.windowsupdate)
Re: Workstations are going offline! Help!
... This is what I would do: keep an eye on those workstations to make sure ... Settings -> Security Settings and click Password Policy. ... won't start, or if you're seeing any symptoms, please check your event logs ... When offline files are in use and you are offline (but still ...
(microsoft.public.windows.server.sbs)
Re: Workstations are going offline! Help!
... This is what I would do: keep an eye on those workstations to make sure ... Settings -> Security Settings and click Password Policy. ... won't start, or if you're seeing any symptoms, please check your event logs ... When offline files are in use and you are offline (but still ...
(microsoft.public.windows.server.sbs)
Re: Access to Network and Dial-Up Connections blocked
... John John wrote: ... if a NoPropertiesMyComputer policy exists: ... I re-enabled Remove Network Connection from ... If this is a permissions issue check and make sure that you have ...
(microsoft.public.win2000.general)
Re: Automated logoff using Winexit.scr
... New OU - New Policy ... Settings: Configure this key then Propogate inheritable permissions to ... Permissions granted: Authenticated Users: Read/Special ... test GPO linked to it trying to accomplish that and move a couple computers ...
(microsoft.public.windows.group_policy)