Solved

Windows 2008 Permissions issue Local Admins

Posted on 2012-04-12
14
1,072 Views
Last Modified: 2012-04-18
example error

RUn  Regedit   > Windows cannot access the specified device, path .....etc

if i look at file permissions  it says   administrators and system have full control

my domain account is in administrtors group

but i still get access denied, if i add my name to the regedit.exe directly along side administrators  it works.


any reason why the group doesnt seem to be working?

there are GPOS applied but all Computer based none user.

windows 2008 R2
0
Comment
Question by:mhamer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 5
14 Comments
 

Author Comment

by:mhamer
ID: 37837347
essentially  If i add a a domain group to have full control  it still doesnt open the file
if i add a domain user it does open

same issue as here.
http://www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_24182131.html
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 37837446
In Windows 2008 R2, if you have User Account Control (UAC) still turned on, even if you're an administrator of the computer, you will not open programs as an administrator.  When performing the run, a pop-up box should appear.  Make sure to select Yes, as it's asking you if you want to run the program as an administrator.  Otherwise, it will run in the context of your account.  

I should also mention, since you said you have GPOs, that any GPOs applying rights could have an effect on your access to certain parts of the registry.  You may want to use the Group Policy Management console to verify your GPO settings for possible conflicts.
0
 

Author Comment

by:mhamer
ID: 37837614
this is just affceting the fies secured by GPO
eg

%systemroot\regedit.exe
and administrators and system have full control


If i add my name here too i can open the file

dont seem to be any conflicts (rsop)
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 7

Expert Comment

by:Minoru7
ID: 37837638
Are you using UAC?  If not, have you rebooted since you turned it off?  See the following as an example:  http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/86e2f00b-ecff-4eb7-820f-5c65bab19760/.
0
 

Author Comment

by:mhamer
ID: 37838071
Hi, Minoru

Rebooting  fixed it  thankk you.

but now in a mini dilema, I dont want UAC off or disabled

should I have to turn this off in order to set permissions via GPO???
0
 

Author Comment

by:mhamer
ID: 37838214
Also noticed that files that do work have TRUSTEDINSTALLER as an account with rights

but i cant add this to any where  (can you?)
0
 
LVL 7

Accepted Solution

by:
Minoru7 earned 500 total points
ID: 37838269
You shouldn't have to have UAC turned off to apply GPOs.  On my servers, I run UAC in the second slider position up, which gives the pop-up message, but doesn't blank out the screen.  Keep in mind that if you change UAC to this position, make sure to reboot again or you'll be back into the same scenario you were before.  You shouldn't need to touch the TRUSTEDINSTALLER account.  That's a built-in system account like the NETWORK account or SYSTEM account.
0
 

Author Comment

by:mhamer
ID: 37839844
ok only way i can resolve at preent is

a: disable UAC
b: add servername\Users group to file permissions (no other groups work)
c: add an individual name

security on the file regedit.exe is servername\administrators   |   System   |TrustedInstaller all full control.

we dont have this on WIn7 so ill try match up the policys in play in win7 see if there are any diffrences  but it does seem odd.
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 37839887
0
 

Author Comment

by:mhamer
ID: 37855049
hi, i agree with what the lnk suggests   but it is talking about normal files and folders

I dont think changing ownership of all system files is a resonable fix  (or is it?)
0
 

Author Comment

by:mhamer
ID: 37856810
Also another bit of info

Adding.  Built in local users group.   Servername\users

Makes it work

Even if I remove all members of this group!



Which makes me think it's by design.


But does that ring true with anyone?
0
 
LVL 7

Expert Comment

by:Minoru7
ID: 37857152
Are you saying that the local users group hasn't been given rights to the regedit file?  By default, it should have <localcomputer>\Users as having Read & Execute and Read.  Same goes for local administrators and SYSTEM.  Domain users are local users by default, so they will inherit those rights.  Domain admins are local admins by default, so they will inherit those rights.  The Windows directory should have local Users with Read & Execute, List folder contents, and Read.
0
 

Author Comment

by:mhamer
ID: 37858381
yep thats what im saying

the security clamp policy  changes rights to files to  local\administrators and system

users is removed

by the fact domain users is in local\users   is that not saying all users have rights to the file?



I didnt create the policy by the way sent in by th esecuirty chaps.


just couldnt understand the behaviour
0
 

Author Comment

by:mhamer
ID: 37858405
you got the point's ages ago by the way :-)  just cant see any "microsoft" blurb as to why you cant do what they  did , as there pushing for a resolution rather than "the policy is wrong"
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question