Link to home
Start Free TrialLog in
Avatar of EPAM_Systems
EPAM_SystemsFlag for Belarus

asked on

Event Viewer Security(Remote Registry) in Windows 2003

After updrade Win2K DC to Win2003 DC it is imposible connect to EventViewer under Domain Admin credentials from any system(WinXP/2000/2003). I keep getting error access denied. Similar error trying remotely connect to registry. On trying open remote HKLM I getting error "Cannot open HKEY_LOCAL_MACHINE. Error while opening key". Although I can open  HKEY_USERS.
Checked:
1. http://support.microsoft.com/?id=314837 "How to Manage Remote Access to the Registry"
2. http://support.microsoft.com/?id=323076 "Set Event Log Security Locally ...in Windows Server 2003"
3. Policy "Manage Auditing & Security log"=Administrators.
4. Using rsop.msc I gathered GP info, "Remotely Accesible Path" and "Remotely Accesible Path and subpath" are using default settings which were checked in (1)

What else should be checked/rechecked to allow remote registry for HKLM and as result Remote Event Viewer?
Avatar of Joseph_Moore
Joseph_Moore
Is the "Remote Registry" service running on the Win2K3 box? If this service is not on, then you cannot connect to the remote system and look at the Registry.
I know that Win2K3 has many new security enhancements, so maybe this is one of them. Maybe it turned this Serivce off?
Avatar of EPAM_Systems
EPAM_Systems
Flag of Belarus image

ASKER

Thanx for reply. It's a pity, but Remote Registry service is Automatic and Running as I wrote: although I can open  HKEY_USERS.
I almost gave in. It appears to be a glitch of Win2003 inplace upgrade from Win2000 DC. Suppose it will be corrected in SP1.

I open for any crazy ideas . Perhaps someone can give some hints how to debug mentioned issue? Something like this: use API  xxx on client, capture and analize network traffic, debug API xxx on server.
Avatar of Joseph_Moore
Joseph_Moore
How about the security on the HKLM hive? Did you check that? I don't have a Win2K3 box I can check this on specifically, but on my XP Pro box, the security is as follows:
Administrators:  Allow FC, Allow Read
Everyone:  Allow Read
RESTRICTED:  Allow Read
SYSTEM:  Allow FC, Allow Read

This is how the root of the hive looks, permissions-wise. Please check yours, to see what it is set to. Maybe the permissions are set incorrectly, or too tight, so the Admistrators group does not have Read access.
Open Regedt32 (which now looks just like normal Regedit), right-click on HKLM, choose Permissions, and on the Security tab, take a look and make any changes if needed.
Now, a warning. If the permissions are screwed up, then you can try and have new permissions be applied to all lower-level branches, but this could, in and of itself, mess something ELSE up! So, if this does turn out to be the problem, making a change and applying it to all sub-branches of HKLM could create another problem for you! I have never tried doing this, so I just wanted to warn you.
Avatar of EPAM_Systems
EPAM_Systems
Flag of Belarus image

ASKER

Permissions are checked. HKLM has default settings since age of Win2K system. I.e.
Administrators - Full
Everyone - Read
RESTRICTED - Read
System - Full
Avatar of Joseph_Moore
Joseph_Moore
So, I did find another question here at EE with the same problem, getting the "error while opening key" message while remotely connecting. The accepted answer (there was no followup by the person who opened the question with details on why they accepted the one answer) was this Technet article:
http://support.microsoft.com/?kbid=310426
And this article just talks about Registry editor in XP and Win2K3.
The question here at EE is here:
https://www.experts-exchange.com/questions/20782059/Connecting-to-XP-Registry-via-the-Network.html
Take a look at them, and maybe something will strike a chord with the setup.
There just must be a security setting set incorrectly on this XP box, or maybe in the Local Security Settings -> User Rights Assignment (located in Administrative Tools).
We're missing it, and it is just a little thing, probably.
Avatar of EPAM_Systems
EPAM_Systems
Flag of Belarus image

ASKER

:( no luck,  310426 is a usual guide HOW TO for newbies.

By default build-in Administrator has privileges:
Logon Locally
Access This Computer From the Network
Allow logon through terminal services
Manage Auditing and Security Log
Backup files and directories
Restore file and directories
Change the System Time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
Debug programs
Modify firmware environment values
Profile system performance
Profile single process
Increase scheduling priority
Load and unload device drivers
Create a pagefile
Increase quotas(Adjust memory quotas for a process)
Bypass traverse checking
Remove computer from docking station
Perform volume maintenance tasks

My domain buildin Administrator has the same ones and it is not in on the list of any deny privileges. I checked that thru gpedit.msc and rechecked thru rsop.msc.

Next step to try is applying default security template for DC.
Avatar of EPAM_Systems
EPAM_Systems
Flag of Belarus image

ASKER

YES! It did the trick. "DC security.inf" resolved my problem.
I have three more DCs with the same issue, so I'l try to apply template manualy step by step.

See you soon. :)

EPAM Systems www.epam.com
Pavel Dzemyantsau, Lead IT Engineer, MСSA
Avatar of Joseph_Moore
Joseph_Moore
Freakin' security templates! :-P
I'm glad you found the solution!
Avatar of EPAM_Systems
EPAM_Systems
Flag of Belarus image

ASKER

this template works
---EventVwrFix.inf---
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1

[Registry Keys]
"machine\system\currentcontrolset\services\wintrust",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\services\tcpip",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GR;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\services\sysmonlog\log queries",2,"D:(A;CI;GA;;;S-1-5-20)(A;CI;CCDCLCSWSDRC;;;S-1-5-32-559)"
"machine\system\currentcontrolset\services\remoteaccess",0,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GR;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\services\ntfrs",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\services\ntds\parameters",0,"D:P(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\services\ntds",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\services\netbt",0,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\services\kdc",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\services\eventlog",0,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\services\dnscache",0,"D:P(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\services",0,"D:P(A;CI;GR;;;AU)(A;CI;SDGWGR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\hardware profiles",1,"D:AR"
"machine\system\currentcontrolset\enum",1,"D:AR"
"machine\system\currentcontrolset\control\wmi\security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\session manager\appcompatcache",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\securepipeservers\winreg",2,"D:P(A;CI;GA;;;BA)(A;;GR;;;BO)(A;CI;GR;;;S-1-5-19)"
"machine\system\currentcontrolset\control\productoptions",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)"
"machine\system\currentcontrolset\control\prioritycontrol",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\network",2,"D:P(A;CI;GR;;;BU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GR;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\control\lsa\skew1",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\lsa\jd",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\lsa\gbg",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\lsa\data",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\lsa\audit",2,"D:P(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\lsa",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\keyboard layouts",2,"D:(A;CI;GR;;;WD)"
"machine\system\currentcontrolset\control\keyboard layout",2,"D:(A;CI;GR;;;WD)"
"machine\system\currentcontrolset\control\graphicsdrivers",2,"D:P(A;CI;GR;;;AU)(A;CI;GR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
"machine\system\currentcontrolset\control\class",0,"D:AR"
"machine\system\currentcontrolset\control",2,"D:P(A;CI;GR;;;AU)(A;CI;SDGWGR;;;SO)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"
----
ASKER CERTIFIED SOLUTION
Avatar of gemarti
gemarti
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of SOCCSUPPORT
SOCCSUPPORT
Flag of United States of America image
I was having the same issue with a DC that I demoted and renamed.  I reapplied the Setup Security.inf based on the info I found in this post.  This cleared up the problem right away.