HOW TO: Prevent Windows 2000 Upgrade from Modifying Custom Security (260242)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q260242

IN THIS TASK

SUMMARY

The Windows 2000 upgrade process applies Windows 2000 default security settings to registry keys and file system objects. This process overwrites any custom permissions that you previously defined. If the Windows 2000 default security settings are in conflict with custom permissions, programs that rely on the custom permissions may not work properly.

Windows 2000 uses the following security templates to apply security settings during the upgrade process:
  • Dwup.inf (for Windows 2000 Professional upgrades)
  • Dsup.inf (for Windows 2000 Server upgrades)

back to the top

Modifying Templates


To prevent the upgrade process from modifying custom security settings, you can modify these text-based templates to ignore the specific folders, files, or registry keys that contain custom security settings using the following steps:
  1. Copy the appropriate template file (Dwup.inf or Dsup.inf) from your Windows 2000 distribution share into the %WinDir%\Security\Templates folder on your local computer.
  2. Start Microsoft Management Console (click Start, click Run, type mmc.exe, and then click OK).
  3. From the Console menu, click Add/Remove Snap-in, click Add, click Security Templates, click Add, click Close, and then click OK.
  4. To open the template file you want to modify, expand the Security Templates node, expand the %WinDir%\Security\Templates folder, and then expand the appropriate template file (Dwup.inf or Dsup.inf).
  5. Click the security area that you want to modify (Registry or File System).
  6. In the result pane, a list of all of the registry keys or file system objects configured by the default upgrade template is displayed. Determine whether or not the object you want the upgrade to ignore is explicitly configured by the template, and then use the appropriate steps: If the object you want the upgrade to ignore is not explicitly configured by the upgrade template, you must add it using the following steps:

    1. Right-click Registry or File System, and then click Add Key or Add File.
    2. Browse the dialog box to select the key or file system object you want to protect (for example, Machine\Software\MyISV). If the key, folder, or file does not exist on your computer, you can type the path to the object in the available box.
    3. Click OK to start the Access Control List (ACL) editor.
    4. Click OK again to accept the default security provided by the ACL editor.
    5. Click Do not allow permissions on this key\file to be replaced.
    6. Click OK to add the object to the template, and then go to step 7.
    If the object you want the upgrade to ignore is already explicitly configured in the upgrade template, modify it using the following steps:

    1. In the result pane, double-click the object you want to protect.
    2. Click Do not allow permissions on this key\file to be replaced, click OK, and then go to step 7.
  7. In the result pane, the object you want the upgrade to ignore should now be listed with the Ignore property listed under both the permission and audit columns. Right-click the name of the template, and then click Save.
  8. Copy the modified template back to the distribution share.
Future upgrades from this distribution share will not configure the ignored objects with Windows 2000 default settings.
back to the top


Modification Type:MajorLast Reviewed:2/9/2006
Keywords:kbenv kbhowto kbHOWTOmaster KB260242 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.