Re: Win2k3 patches failed - secpol wont let me modify privs

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message news:a4cf19c75f842@uwe...


> Hi,
>
> I found this reported fix on another forum. I'm not sure what it does and I
> don't want to indiscriminately put it on my domain controller. Is anyone
> familiar with this? Are these safe settings to apply?
>
> Thanks for your input.
> K
>
> For all you people out there still having this problem (like I did recently),
> here's the fix!
> Just put this in a BAT file:
>
<snippped>

Kabbott,

Did you or anyone else ever remove the Everyone group from the C: drive, or the Windows folder, possibly to increase security or for some other means?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

"kabbott via WinServerKB.com" <u56473@uwe> wrote in message news:a4d2eb9c67fb8@uwe...
> Hi Ace,
>
> Here's an update.
>
> At a suggestion from the nice folk at Minasi.com, I did a whoami /priv and
> /group on the account I was using.
>
> The results seemed like the account was lacking a lot of privs to me, it only
> showed enabled privs for
>
> SeChangeNotifyPrivilege Bypass traverse checking Enabled
> SeImpersonatePrivilege Impersonate a client after authentication
> Enabled
> SeCreateGlobalPrivilege Create global objects Enabled
>
> even though it was a member of domain admins and enterprise admins.
>
> For giggles I logged into a domain admin account that had been created on
> that domain, rather than one that had been migrated from our NT domain and
> given domain admin privs. I attempted to apply patches and this time it was
> SUCCESSFUL! And, I tried creating a GPO, and that was successful as well!
>
> However when I ran WhoAmI /Priv, it showed the same privs as the other
> account had!
>
> Does anyone know why this would be?
>
> thx,
> K

Keith, it sounds like the migrated account may not have all the attributes associated to it as a newly created account. I guess that could have been due to errors during the migration, but I can't specifically say. I have seen that once in the past, and have confirmed it when I exported the account attributes to a CSV file using CSVDE and comparing the two. To fix that issue, I had to delete the bad one, and recreate it, then export the attributes and compared them, then it worked.

Maybe someone else can comment on that.

Ace



>