DOCUMENT:Q185951 09-AUG-2001 [winnt] TITLE :Security Fix Prevents Account Operators from Managing Accounts PRODUCT :Microsoft Windows NT PROD/VER:WinNT:4.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server version 4.0 - Microsoft Windows NT Workstation version 4.0 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information on how to do this, view the "Restoring the Registry" online Help topic in Regedit.exe or the "Restoring a Registry Key" online Help topic in Regedt32.exe. SYMPTOMS ======== After you install the Red Button security fix that was posted to Microsoft's FTP site, Account Operators are no longer able to administer domain accounts. When you attempt to access User Manager for Domains from any computer other than the primary domain controller (PDC), you get the following error message: Access Denied. Do you want to select another domain to administer? MORE INFORMATION ================ The hotfix corrected the issue of users without administrative privileges being able to access the registry. The hotfix consisted of the executable Secfix_i.exe for Intel-based computers, and Secfix-a.exe for Alpha computers. The fix is installed by double-clicking the executable file. The installation created an $NtUninstallSecurityFix$ directory that contained the following files: Lsasrv.dll Msv1_0.dll Netui1.dll Netui2.dll Srv.sys Srvsvc Uninst.inf Although this directory was created, there is no way to uninstall the hotfix. RESOLUTION ========== WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. To restore the Accounts Operator's ability to manage domain accounts from machines other than the PDC, give Read privileges to the following registry key on the PDC: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers \winreg NOTE: The above registry key is one path; it has been wrapped for readability. This problem is also corrected by installing Service Pack 3. Additional query words: SP3 ====================================================================== Keywords : Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 Version : WinNT:4.0 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.