Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

File and registry permissions after Workgroup migration to Domain

Posted on 2004-08-18
5
Medium Priority
?
523 Views
Last Modified: 2013-12-04
The issue we are having occurs when we add a Windows 2000 workstation to our new domain that was previously a member of workgroup called "WORKGROUP".

After adding the machine to the domain we reboot, login as domain admin, and find that the file/folder permissions on C: have been reset to "Everyone" with full control. Yet standard domain users have trouble writing to files in the windows folder and other locations on the drive.

The registry shows that "RESTRICTED" and "Everyone" objects have read only access to all areas of the registry. This causes users to have problems with software that write settings to the registry, i.e. AutoCAD or any app that writes into HKLM.

To correct this, we have to login as the domain admin, open regedt32 and add "Domain Users" and "Domain Admins" with full control on the registry, or give "Everyone" and "RESTRICTED" at least read/write access to HKLM.  Then we reset the permissions on the C: drive to make "domainname\Domain Admins" the owner and set "Domain Admins" with full control and "Domain Users" with Change rights in order to straighten things out.

This is a real headache for our helpdesk and it doesn't seem like we should have to do this just to move over to a domain. We're not sure if it has something to do with Group Policies or what. Any help would be greatly appreciated.
0
Comment
Question by:TheITGuy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 6

Expert Comment

by:Scott_Willcocks
ID: 11839494
we had that problem It is w2k has locked down certain folders

the most important  being %windows% and %system32% this caused us imense problems

Microsoft locked it down to try and combat viruses that copy themselves to the system 32 folder and running.

what we did was to unlock the system 32 folder as this was the cause of most  of the softwarte failing as the programs didn't have the right permissions on dlls to run them.

\\SERVER\SHARE\xcacls.exe c:\winnt\system32\*.* /T /e /g power user:R /y

find xcacls.exe it here

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp

then create a shortcut and run this it then adds everyone and assignes full control to every file in the directory you can change the user to power user and add all the domain users to the power user group on all machines.

So anyone authenticated to your domain will gain power user rights on the local machine which is slightly higher than normal users.

Not perfect but it gets around the Autocad problems and other software.

0
 
LVL 6

Expert Comment

by:Scott_Willcocks
ID: 11839500
also try this so have to shortcuts

\\SERVER\SHARE\xcacls.exe c:\winnt\system\*.* /T /e /g power user:R /y

this program needs to be run by an administrator.
0
 
LVL 1

Author Comment

by:TheITGuy
ID: 11871575
Scott,

I used XCACLS.exe on the C:\winnt\system32 folder and it set the permissions the way we need them.  That shortcut should save us a lot of time.

Do you have any suggestions on a quick way to set the registry permissions? Does Microsoft make any kind of utility to reset those as well?

Thanks!
0
 
LVL 6

Expert Comment

by:Scott_Willcocks
ID: 11871655
if you put all users in the power user group you should be ok.

we never had to change those settings as the autocad settings write to HKCU registry key that the user will have the correct rights to write to.

add domain users to the power user group
0
 
LVL 6

Accepted Solution

by:
Scott_Willcocks earned 2000 total points
ID: 11871861
you may want to automate the power user thing with this

Set oWshNet = CreateObject("WScript.Network")

sUser = "Domain users"

sNetBIOSDomain = oWshNet.UserDomain
sComputer = oWshNet.ComputerName

Set oGroup = GetObject("WinNT://" & sComputer & "/power users,group")
Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & sUser & ",user")

' suppress errors in case the user is already a member
On Error Resume Next
oGroup.Add(oUser.ADsPath)
On Error Goto 0
'--------------------8<----------------------


It will try to add the user name in the variable "Domain USER"
to the "POWERusers group" group every time the computer boots
up. If the user already exists, the error is suppressed.

If the computers are in another domain than the user you
want to add, you will need to hard code the domain name
the user belongs to in the variable "sNetBIOSDomain".


test this script and add to users logon scripts

0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question