Local System permissions revoked on user created process..

Steven Morris
Steven Morris used Ask the Experts™
Just quickly, this system is as yet unseen, i am solving hypothetically for a job i may end up inheriting. Here's what i have.

Windows 2003 cluster (2 node)
don't know their update / antivirus policy yet
A simulator program with boot time services

A period of time after setting up, or resetting, as it has become, this user created process (a simulator program) with Local System logon will lose it's ability to authenticate (on the domain?) and hence startup. I am told, the delay can be as long as 6 weeks.. At this stege i can only point to windows updates, group policy updates, some kind of group membership conflict, a registry error or PKI corruption?? But how do you explain the 6 weeks..

The only similar issue i have seen was in a cluster environment (which this is also, incidentally) where the actual clustering process would lose ability to startup. It was then, as this is now, patched back together by resetting the password and restarting the service..


Any hints. I will update with anything new as it arrives.

Thanks a bundle.

ps, sorry about the quickbooks zone.. it was left from a previous quiery..
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Cryptographic Engineer
Sounds like a nasty one.  Nothing is really jumping out so, not jumping to any conclusions, I would consider an attacker, a virus, failing hardware, or one very interesting bug in the app software/service.  Make sure everything is updated, run your scans, etc. if possible to remove one from the network for an extended period of time for testing that may be desirable.  

If multiple systems, hardware is less likely, but especially for kiosk type things I've seen some pretty dumb things like encasing the box inside a solid metal frame so the guest users couldn't press any buttons or access any cords on the box itself.  The problem was that there was no ventalation, which caused some major overheating issues.

All I can say is check your event logs.  If nothing really jumps, personally I would say this would be deserving of a call to the app vendor and/or Microsoft, whichever way your gut leads you to.

I'll say that none of the following doesn't really make sense but I'll throw it out there anyways as passing thoughts.  
A permissions issue that local security was removed from or denied permissions for some service.  However, that doesn't make sense why it would work after boot.
6 weeks is a standard renewal period for certs.  So 6 weeks before the certA expires, the client should renew its cert and start using certB.  However, the old cert should still exist and be valid after that point, which is why this doesn't make sense unless there is some kind of cleanup script that runs on client or CA server for some insane reason.  Maybe some CA policy module that revokes CertA when CertB is issued?  
Normally resetting services or bouncing the box will clear out systems that are caching CertA.  If this is the case, it would be weird for it to just automatically start using the new one when the old expired, if it were a caching issue normally it would still be hanging onto the old.

certutil -pulse will force autoenrollment events.  certutil is in 2003 adminpak if this is for xp or earlier.

I still wouldn't expect that type of error message from a cert, though - but due to the 6 weeks mentioned it made a little ping inside my head.

Steven MorrisProject Manager


Thanks for the help, they have circumvented the issue by rearranging the cluster dependancies. Turns out there is a serious DNS resolution / reliability problem. Without having been there, i'm leaning toward intermittent connection failure and bad dns updates. All is well for now. Thanks again.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial