Regaining full control for Administrator over C: drive in Windows 2008 R2
Hi,
I have a test system that is a clone of a production server. I logged in as the local administrator and tried to clear the event logs (saving them first to the c: drive). Found out I don't have permission to do that, even though this account is a member of Administrators.
Bringing up the security properties of the c: drive, it shows Administrators (<machine name>\Administrators) has full control over the drive.
Running a simple test (copy con test.txt) from a command prompt on the c:\ drive does work. Trying to save any log file does not (Even Viewer could not clear the log. The following error occurred: Access is denied).
And from the security event log...
A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: PRODIISCLONE\Administrator
Account Name: Administrator
Account Domain: PRODIISCLONE
Logon ID: 0x9916e6e
Network Information:
Object Type: File
Source Address: ::1
Source Port: 54674
Share Information:
Share Name: \\*\C
Share Path: \??\C:\
Relative Target Name: security1.evtx
Access Request Information:
Access Mask: 0x120196
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Access Check Results:
READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)
WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)
WriteAttributes: Not granted
I was able to save the event logs to the d: drive.
Snapshot of permissions for the 2 drives is attached.
Any ideas? Thanks!
--Ben
cdrive.JPG
I have a test system that is a clone of a production server. I logged in as the local administrator and tried to clear the event logs (saving them first to the c: drive). Found out I don't have permission to do that, even though this account is a member of Administrators.
Bringing up the security properties of the c: drive, it shows Administrators (<machine name>\Administrators) has full control over the drive.
Running a simple test (copy con test.txt) from a command prompt on the c:\ drive does work. Trying to save any log file does not (Even Viewer could not clear the log. The following error occurred: Access is denied).
And from the security event log...
A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: PRODIISCLONE\Administrator
Account Name: Administrator
Account Domain: PRODIISCLONE
Logon ID: 0x9916e6e
Network Information:
Object Type: File
Source Address: ::1
Source Port: 54674
Share Information:
Share Name: \\*\C
Share Path: \??\C:\
Relative Target Name: security1.evtx
Access Request Information:
Access Mask: 0x120196
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Access Check Results:
READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD)
WriteData (or AddFile): Not granted
AppendData (or AddSubdirectory or CreatePipeInstance): Not granted
WriteEA: Not granted
ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)
WriteAttributes: Not granted
I was able to save the event logs to the d: drive.
Snapshot of permissions for the 2 drives is attached.
Any ideas? Thanks!
--Ben
cdrive.JPG
Tom Cieslik
Try disabling UAC in control panel / users and try again.
ASKER
Hi Tom,
Sorry, don't do this very often. UAC is...? Am in the User Accounts section now in the control panel.
--Ben
Sorry, don't do this very often. UAC is...? Am in the User Accounts section now in the control panel.
--Ben
UAC,,, User Account Control
If this will not help then try run Event viewer as Administrator
If this will not help then try run Event viewer as Administrator
ASKER
Got it. Needs to reboot after that update...doing that now.
ASKER
Server rebooted, logged in as the local administrator, launched Even viewer as administrator, then tried to save\clear the Security log to c:\security.evtx. No change.
--Ben
--Ben
Try different path since C: root folder is protected.
Create TEMP folder on C: and try saving there
Create TEMP folder on C: and try saving there
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hm. I was able to execute the command copy con c:\test
from a command window and typed in a test line. ?
from a command window and typed in a test line. ?
Windows Event Log service does not run as an administrator but Local Service
ASKER
Oh! Doh.. :)
ASKER
Ok, tried saving to c:\temp and got the same thing.
ASKER
Hi Tom
That article is about reading the event log, not writing it. I can read the event log(s) without issue. How would this help?
That article is about reading the event log, not writing it. I can read the event log(s) without issue. How would this help?
It is not about writing the event log. It is about writing any file it seems.
ASKER
Found out a few days ago the client killed the project this was related to. Unfortunately I had to back out of it, so it is now their issue if they want to pursue it. I don't have access to that server now. Thanks to all who lent a hand on this one!
--Ben
--Ben
Thx for no credits as assisted solution.