Learned something today about a useful tool to reset permissions on a Windows 2000 Server. I'm working with a Domain Controller, so Special Instructions Apply, but this also works with other flavors of 2000. Don't know about other versions of Windows, not my problem at this moment.
M$ kinda buggered up the instructions and setup for doing this on a DC, so here is my all-in-one instruction. Note: ONLY ATTEMPT THIS IF YOU ARE HAVING PERMISSION PROBLEMS AND ONLY IF YOU HAVE A VERIFIED FULL SYSTEM BACKUP. THIS COULD LEAVE YOUR DOMAIN CONTROLLER UNABLE TO BOOT!!!
1. Find your sysvol folder path by typing net share sysvol at the command prompt. Usually the path is "c:\winnt\sysvol\sysvol"; make note of yours.
2. Find your DSLOG path by opening regedit and going to HKLM\System\SurrentControlSet\Services\NTDS\Parameters and recording what you find under "Database log files path"; this is usually c:\winnt\ntds.
3. Find your DSDIT path in HKLM\System\SurrentControlSet\Services\NTDS\Parameters under "DSA working directory"; usually c:\winnt\ntds.
DO NOT GUESS AT THESE PARAMETERS!!
4. Now we need to set the variable: assuming that you have the same data as I do, you will go to the command prompt and type:
set SYSVOL=c:\winnt\sysvol [note: we left off the ending "sysvol", that is correct]
set DSLOG=c:\winnt\ntds
set DSDIT=c:\winnt\ntds
5. Open the MMC; since we are sitting at the command prompt just type MMC and hit "enter".
6. On the "Console" menu click "Ad/Remove Snap-in".
7. Click "Add", and then double-click "Security Configuration and Analysis".
8. Click "Close", "OK".
9. Right-click "Security Configuration and Analysis", then click "Open Database". Create a new database file, you can name it whatever you want. I used my name. You will then be prompted to import a security template.
10. In the "Look in" list browse to c:\winnt\inf\. Select Defltdc.inf.
11. After you import the template, follow the directions in the right pane to configure the computer with the security settings in the template.
If you are not working with a Domain Controller, you will skip steps 1-4 and start with step 5. In step 10 you will select, depending on what you are working with:
Defltwk.inf = Windows 2000 Professional
Defltsv.inf = Windows 2000 Server
Defltdc.int = Windows 2000 Server Domain Controller
Note that although this did fix the registry permissions problems I was having, it did not fix my inability to install a program, so I will be looking further.
Hours Later
I got everything going. I'm not entirely clear what happened. I was under the impression that following the above process would restore both Registry AND File permissions. Maybe it did. But the "System" and "Service" accounts had NO permissions in "Winnt" or "Program Files". Once I gave them full perms then everything started working correctly. I'm very glad; I thought I was going to put in 48 hours of work to rebuild everything, looks like it's cleaned up after about 8 hours. Not too bad. I still need to rebuild this server, but it can now wait until the new hardware is here and installed.
No comments:
Post a Comment