Access Denied When Trying to Add ACL Entries (157475)
The information in this article applies to:
- Microsoft Windows NT Workstation 3.51
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows NT Server 3.51
- Microsoft Windows NT Server 4.0
This article was previously published under Q157475
IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it
if a problem occurs. For information about how to do this, view the
"Restoring the Registry" Help topic in Regedit.exe or the "Restoring a
Registry Key" Help topic in Regedt32.exe.
SYMPTOMS
Normally you can modify the security of an object where you have the
Change Permissions right or when you own the object. However, after you
apply Windows NT 4.0 Service Pack 3 or the Windows NT 3.51 SEC-FIX, you
may receive the following error message when you attempt to add entries to
Access Control Lists (ACL):
Access Denied
NOTE: You can successfully add entries with the Windows NT Cacls.exe
utility. For additional information on SEC-FIX, click the article number below
to view the article in the Microsoft Knowledge Base:
143474 Restricting Information Available to Anonymous Logon Users
CAUSE
You receive the above error message because Windows NT ACL editor cannot
determine the product type of the server.
RESOLUTION
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry
Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys
And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and
Delete Information in the Registry" and "Edit Registry Data" Help topics
in Regedt32.exe. Note that you should back up the registry before you edit
it.
- Run Registry Editor (Regedt32.exe).
- Go to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SecurePipeServers\winreg\AllowedPat
NOTE: The above registry key is one path; it has been wrapped for
readability.
- Click Machine, and then on the Edit menu, click Multi String.
- Add the following:
System\CurrentControlSet\Control\ProductOptio - Click OK and then quit Registry Editor.
- Shut down and restart Windows NT.
You can also resolve this problem by granting the user (or a group the
user is a member of) access to the winreg key. For additional information on the winreg key, click the article number below
to view the article in the Microsoft Knowledge Base:
153183 How to Restrict Access to NT Registry from a Remote Computer
MORE INFORMATION
The ACL editor must know what entries to place into the list of available
domains. Domain controllers (ProductType LanManNT) do not have their own
machine name in the list of domains, while member servers and Windows NT
workstations (ServerNT and Winnt) do. The ACL editor tries to find out
about the domain role of the remote server by accessing the ProductType
value from the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
SEC-FIX restricts registry access to the users listed in the ACL for the
following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winr
If you do not have access to this key, you are only permitted to access
the
registry keys listed in the AllowedPaths\Machine value in the winreg key.
If the ProductOptions key is not listed under AllowedPaths\Machine, users
trying to add ACLs on remote servers might receive an Access Denied error
message.
| Modification Type: | Major | Last Reviewed: | 8/9/2001 |
|---|
| Keywords: | kbenv KB157475 |
|---|
|