Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more

x
?
Solved

AD Group Policy resetting security descriptor for the SharedAccess service

Posted on 2008-10-09
3
Medium Priority
?
1,806 Views
Last Modified: 2013-06-06
I have about 300 computers in my AD domain.  I'm unable to start the Windows Firewall Service on only my XP 32-bit machines.  The service is set to start automatically and I get this error if I try to manually start the service:

error 0x80004015: The class is configured to run as a security id different from the caller

The security descriptor for the SharedAccess service on my XP 32-bit machines is set to this:

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)

I followed Microsoft's article (http://support.microsoft.com/kb/892199) and manually reset the security descriptor using the following command:

SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

After that I'm able to successfully start the Firewall Service.

However, if I refresh the group policy on the machine (gpupdate /force) the security descriptor is changed back to the first key listed above.

I've tested changing a few things in my default domain group policy, resetting the SD for SharedAccess, and then refreshing the group policy, but each time they key is reverted back to the one that doesn't work.

I have the Administrative Template for the Windows Firewall set to disabled in the domain and standard group policy, but it makes no difference  if I set it to enabled or not configured.

What other areas in Group Policy might be causing this change?  Or is there something else going on?  All of my XP 64-bit machines work fine.



0
Comment
Question by:fourjohn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22680963


Click Start followed by Run...

Type in regedt32 and hit the enter key.

Locate the key HKEY_Local_MACHINE\software\classes\appid\{ce166e40-1e72-45b9-94c9-3b2050i8f180} and highlight it.

Click File and then Export from the File menu and export a copy of the key.

Make sure the key mentioned in step 3 is still highlighted and delete it.

Restart your computer and the Windows Firewall/Internet Connection Sharing Service should start automatically
0
 
LVL 1

Author Comment

by:fourjohn
ID: 22702815
Ok, deleting the reg key seems to work even after refreshing the group policy.

As a test I built a virtual PC with a fresh copy of XP with Service Pack 3 embedded (not that it really matters).  Before joining the machine to the domain the Windows Firewall service loads correctly and the SharedAccess security ID is D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

After joining the machine to the domain and the group policy has taken effect (and then rebooting), the SharedAccess security ID changes to D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU) and the Windows Firewall service fails to load.  Deleting the regkey and rebooting works.

However, I would like to understand what in my group policy is causing this problem as it clearly looks to be the culprit.  Deleting a regkey via a login script for all 300 networked machines creates another dependency for me and I would instead like to fix my group policy.

What is happening when the regkey is deleted?  I'm just trying to understand what it's doing.

Also, can someone give me any clues as to where in my domain policy that is causing the issue?

Thanks.
0
 
LVL 1

Accepted Solution

by:
fourjohn earned 0 total points
ID: 22706213
The problem was in the default domain policy and here is how I corrected it:

Open the Default Domain Policy
Navigate to \Computer Configuration\Windows Settings\Security Settings\System Services
Open Windows Firewall/Internet Connection Sharing (ICS)
Check the box next to "Define this policy setting"
Select the service start mode to Automatic
Click the Edit Security button
      Set Administrators (local) to Full Control
      Set Authenticated Users to Read
      Set Power Users (local) to Read + Start, Stop and Pause
      Set System to Read + Start, Stop and Pause
Refresh the group policy on the machine (gpupdate /force)

The combination of security settings above sets the SharedAccess Security ID to a working value of:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)


It is also helpful to understand the association between the Access right string Constant, the Access Right Value, and the GUI security permission:

CC     ADS_RIGHT_DS_CREATE_CHILD          Query template
DC     ADS_RIGHT_DS_DELETE_CHILD          Change template
LC      ADS_RIGHT_ACTRL_DS_LIST                  Query status
SW     ADS_RIGHT_DS_SELF                        Enumerate dependents
RP      ADS_RIGHT_DS_READ_PROP                  Start
WP     ADS_RIGHT_DS_WRITE_PROP          Stop
DT      ADS_RIGHT_DS_DELETE_TREE           Pause and continue
LO      ADS_RIGHT_DS_LIST_OBJECT           Interrogate
CR      ADS_RIGHT_DS_CONTROL_ACCESS   User-defined control
SD      DELETE                                               Delete
RC      READ_CONTROL                               Read permissions
WD     WRITE_DAC                                       Change permissions
WO     WRITE_OWNER                               Take Ownership


Deleting the HKEY_Local_MACHINE\software\classes\appid\{ce166e40-1e72-45b9-94c9-3b2050i8f180} regkey is more of a workaround whereas I was asking to fix the problem at the root cause.


Thanks.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question