Policy Changing System Service Permissions Does Not Apply (257247)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q257247
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SYMPTOMS

When you implement service security settings in Group Policy, the Everyone group is granted Full Control by default. You may not want this setting for security purposes, however, when you use computer-based Group Policy to change permissions, the policy may not be applied and there is no way to change permissions on the service.

After you refresh the policy with Secedit or by restarting the computer, the following problems may occur:
  • The computer does not start automatically at startup.
  • The computer is listed, but every other field is blank.
  • The incorrect settings that are applied cannot be reversed through a policy or any other means.

CAUSE

This behavior occurs because the system account or the service account configured for the service is not granted Full Control of the service.

RESOLUTION

To resolve this problem, use the following steps to remove the security on the service.

NOTE: Before you use the following steps, you must configure the Group Policy Object (GPO) correctly. To correctly configure a Group Policy to set a permission on a system service, refer to the following Microsoft Knowledge Base article:

256345 Configuring Group Policies to Set Security for System Services

Steps to Reset Permissions to Allow Policy Application

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Start Registry Editor (click Start, click Run, type regedt32, and then click OK).
  2. Locate the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\"Service"\Security

  3. Delete the Security key to reset the permissions on the service.
  4. Restart the computer.

STATUS

Microsoft has confirmed this to be a problem in Microsoft Windows 2000.
Modification Type:MajorLast Reviewed:12/3/2003
Keywords:kbenv kbprb KB257247
©2003 Microsoft Corporation. All rights reserved.