dakota5
asked on
subinacl not changing permissions in registry
I have a server 2008 R2 and am trying to use subinacl to change permissions on some registry keys, because changing permissions within regedit is not working (giving a permission denied error). The server is in a 2008 domain, but is not a domain controller.
I'm testing subinacl on a working 2008 R2 box which does not have any errors when I use regedit to change permissions (I'm doing this to see how subinacl works on a functioning machine). I'm logged in as a domain admin.
D:\>subinacl /subkeyreg HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Insta ller /grant=tester=f
SeDebugPrivilege : Access is denied.
WARNING :Unable to set SeDebugPrivilege privilege. This privilege may be required.
SOFTWARE\Microsoft\Windows \CurrentVe rsion\Inst aller : new ace for recana-test\tester
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Insta ller : 1 change(s)
Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Insta ller
Note the SeDebugPrivilege-- access denied
And permissions are not changed in the registry.
I've read that subinacl works in server 2008.
Can anyone correct what I'm doing. I'd like to see subinacl work so I can test it on my broken machine. The broken machine has keys that can't be fixed down within the installer subkey.
I'm testing subinacl on a working 2008 R2 box which does not have any errors when I use regedit to change permissions (I'm doing this to see how subinacl works on a functioning machine). I'm logged in as a domain admin.
D:\>subinacl /subkeyreg HKEY_LOCAL_MACHINE\SOFTWAR
SeDebugPrivilege : Access is denied.
WARNING :Unable to set SeDebugPrivilege privilege. This privilege may be required.
SOFTWARE\Microsoft\Windows
HKEY_LOCAL_MACHINE\SOFTWAR
Elapsed Time: 00 00:00:00
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : HKEY_LOCAL_MACHINE\SOFTWAR
Note the SeDebugPrivilege-- access denied
And permissions are not changed in the registry.
I've read that subinacl works in server 2008.
Can anyone correct what I'm doing. I'd like to see subinacl work so I can test it on my broken machine. The broken machine has keys that can't be fixed down within the installer subkey.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If the local Admin group was but the Domain Admin group was not - then the Domain Admin group is missing from the local Admin group. By default, when any workstation or server joins a domain, the Domain Admin group is added automatically to the Local Administrators group. If your server is in this state, I'd want to investigate why?
Glad to help.
Glad to help.
ASKER