Creator/Owner Rights Are Removed by Policy Editor (311444)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Datacenter Server SP2
This article was previously published under Q311444 SYMPTOMS When you edit a file or registry security policy by using
Policy Editor or the Security Template Editor snap-in, rights may be granted or
denied to the creator/owner. If the Applies to option is set
to This folder, subfolders, and files or This key and
subkeys, it is reset to Subfolders and files only or
Subkeys only when you confirm the changes by clicking Apply or OK. This can result in the loss of previously granted or
denied rights, and may cause services or programs not to work. For example,
changing the default permission on the following registry key as defined in the
Basicdc.inf file causes the installation of Windows 2000 Service Pack 2 (SP2)
not to succeed: MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security RESOLUTIONTo resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
WORKAROUND To work around this problem, use Notepad to modify the
security template and set the correct permission for the creator/owner. For
example, to set the permission on MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security to the default settings as defined in the Basicdc.inf file,
modify the following line from MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:PAR(A;CI;KR;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY) to the following: MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security",2,"D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO) Note that modifying the template directly risks losing the
settings each time someone edits the template by using the Security Template
Editor snap-in. Therefore, Microsoft recommends that you set the right
explicitly for the corresponding user in Policy Editor. In the example in this
article, this would require granting Full Control permissions to the
administrator. STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
at the beginning of this article.
This problem was first corrected in Microsoft Windows 2000 Service Pack 4.
| Modification Type: | Minor | Last Reviewed: | 9/26/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbSecurity kbWin2kSP4fix kbbug kbfix kbGRPPOLICYprob kbSysAdmin KB311444 |
|---|
|