2008 sets incorrect security on systemroot on DCs in root domain

-

i'm having consistent problem attempts upgrade dcs of root domain server 2008. dcpromo setting incorrect acls way down windows folder on server 2008 try promote, and any existing 2003 dc upgraded 2008 ends same way.

for example on system32 get:

authenticated users    read & execute    this folder, subfolders , files
server operators        modify                    this folder, subfolders , files
administrators             full control            this folder, subfolders , files
system                        full control            this folder, subfolders , files
trustedinstaller           special                   this folder only
creator owner        special                    subfolders , files only

whereas should be:

trustedinstaller            special                    this folder , subfolders
system                        special                    this folder only
system                        special                    subfolders , files only
administrators               special                    this folder only
administrators                special                    subfolders , files only
users                            read & execute        this folder, subfolders , files
creator owner            special                    subfolders , files only

which before dcpromo on clean installation.

most folders, not all, beneath inheriting, when shouldn't be.

this stopping services starting - annoyingly event viewer service doesn't have permission on winevt folder (server operators do). permissions cryptography service, diagnostic policy service, network service , whole list of others missing appropriate folders.

this has happened 32-bit , 64-bit upgrades of existing windows server 2003 r2 sp2 dcs , clean build of server 2008 dcpromoed. in case of clean build acls correct before dcpromo , wrong afterwards.

the root domain windows server 2003 native. there haven't been windows 2000s years.

forestprep , domainprep went without error. schema object version 44 (correct server 2008).

it not seem related fsmo role.

what i'm getting looks strange mix of server 2003 , server 2008 acls.

however, 2 child domains have had domain controllers upgraded without problem. acls correct. happening in root.

on 1 occasion tried obscenely long manual edit, resetting acls in comparison 1 of successful dcs in 1 of child domains. sadly reset old acls within few hours.

so, can tell me how happening? original default dc ace setting list used dcpromo kept? weird list of aces coming from? why can't rid of it? why in 1 domain?



answer own question: ntfs settings coming default domain controllers policy of root domain. 6 years ago, microsoft default domain controllers security template applied fix problem caused tool messed file system permissions of domain controller. 6 years later along comes windows server 2008 new set of permissions...

which means used either microsoft's default security templates or high security templates domain controllers (both seems withdrawn) needs clear them out before windows server 2008 upgrade.


Windows Server  >  Directory Services



Comments

Post a Comment

Popular posts from this blog

Cannot access Anywhere Access using domain name?

-
after installing anywhere access in windows server 2012 essentials r2, cannot use anywhere access using setup domain name in wizard such remote.mydomain.com? if enter public ip address, example, 72.2.34.5 works. before set anywhere access, created a record pointing public address...pinged , worked...so not sure doing wrong?  is wizard supposed create record etc , make remote.mydomain.com work? if enter public ip address while on lan, takes me router webpage.  shouldn't work on lan if accessed via public ip? thank you, tim. the wizard can configure remote.microsoft_names.com  remote.remotewebaccess.com but cannot configure domains purchased outside wizard.  depends on how domain configured if wildcard.yourdomain.com should work  if try ping remote.your_domain.com afar , not give proper  public ip, need add record mariette said. much have record domain.com www.domain.com , if have website somewhere else www.domain.com , need re...
Read more

server manager error: ADAM.events.xml could not be enumerated.

-
firewall off isnt it. rerun ldap wizard:?  why?  will screw exchange server running on machine?  ldap wizard asks questions don't understand. please dont send generic links to: http://social.technet.microsoft.com/wiki/contents/articles/13444.windows-server-2012-server-manager-troubleshooting-guide-part-ii-troubleshoot-manageability-status-errors-in-server-manager.aspx thanks, john hi john, >> ok. server manager app. these questions refer this. nothing else 2.  do need create app dir or not?  this server manager, shouldnt done? (why did break in first place?) how check if app dir exists server manager or not. 3.  if "lightweight" implementation of anything, sure hate see "heavyweight" version. the waring events can't enumerated. , cause not completing configuration of ad lds. ad lds not related server manager. used provide flexible support directory-enabled applications. if not implementing such application...
Read more

send messages to users

-
i have domain server windows 2000 sp4. my clients using win xp , win 98. when send messages computer management-shared folders-rightclick-all task-send message connected users, message received clients using winxp but not in  win 98 .how send them without winpopup  , net meeting. this forum windows server 2008.   check messenger service running on win98-clients. (haven't seen win 98 in while might not available...) Windows Server  >  Directory Services
Read more