Link to home
Start Free TrialLog in
Avatar of fourjohn
fourjohn

asked on

AD Group Policy resetting security descriptor for the SharedAccess service

I have about 300 computers in my AD domain.  I'm unable to start the Windows Firewall Service on only my XP 32-bit machines.  The service is set to start automatically and I get this error if I try to manually start the service:

error 0x80004015: The class is configured to run as a security id different from the caller

The security descriptor for the SharedAccess service on my XP 32-bit machines is set to this:

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)

I followed Microsoft's article (http://support.microsoft.com/kb/892199) and manually reset the security descriptor using the following command:

SC sdset SharedAccess D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

After that I'm able to successfully start the Firewall Service.

However, if I refresh the group policy on the machine (gpupdate /force) the security descriptor is changed back to the first key listed above.

I've tested changing a few things in my default domain group policy, resetting the SD for SharedAccess, and then refreshing the group policy, but each time they key is reverted back to the one that doesn't work.

I have the Administrative Template for the Windows Firewall set to disabled in the domain and standard group policy, but it makes no difference  if I set it to enabled or not configured.

What other areas in Group Policy might be causing this change?  Or is there something else going on?  All of my XP 64-bit machines work fine.



Avatar of sk_raja_raja
sk_raja_raja


Click Start followed by Run...

Type in regedt32 and hit the enter key.

Locate the key HKEY_Local_MACHINE\software\classes\appid\{ce166e40-1e72-45b9-94c9-3b2050i8f180} and highlight it.

Click File and then Export from the File menu and export a copy of the key.

Make sure the key mentioned in step 3 is still highlighted and delete it.

Restart your computer and the Windows Firewall/Internet Connection Sharing Service should start automatically
Avatar of fourjohn
fourjohn

ASKER

Ok, deleting the reg key seems to work even after refreshing the group policy.

As a test I built a virtual PC with a fresh copy of XP with Service Pack 3 embedded (not that it really matters).  Before joining the machine to the domain the Windows Firewall service loads correctly and the SharedAccess security ID is D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

After joining the machine to the domain and the group policy has taken effect (and then rebooting), the SharedAccess security ID changes to D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU) and the Windows Firewall service fails to load.  Deleting the regkey and rebooting works.

However, I would like to understand what in my group policy is causing this problem as it clearly looks to be the culprit.  Deleting a regkey via a login script for all 300 networked machines creates another dependency for me and I would instead like to fix my group policy.

What is happening when the regkey is deleted?  I'm just trying to understand what it's doing.

Also, can someone give me any clues as to where in my domain policy that is causing the issue?

Thanks.
ASKER CERTIFIED SOLUTION
Avatar of fourjohn
fourjohn
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial