Fix/replace corrupted XP user that can't use WMI

[Tony Gravagno]

Multipart inquiry:
1)
I have a user ID with admin privs that I use for one specific purpose.
It is used to load an ASP page that then kicks off background tasks
via WMI - those tasks run under this user and it's easy to manage them
later. This application works well and is in use in dozens of sites.
Yesterday it suddenly stopped working when I was doing some
diagnostics, I have no idea what I did. After narrowing everything
down to a lack of permissions to run a process via WMI or shell, it
turns out it's just that user ID that doesn't work anymore. I can
easily use a different user but this ID name is used in various places
in the application and it's just a pain to change references. I
understand I can't delete the user ID and then recreate it using the
same name, but somehow I'd like to reset the registry or whatever
config area has been corrupted. Any ideas about what happened in the
first place or how I can reset/recover this user?


2)
In a larger sense I'm now concerned about the possibility that some
other user like "administrator" or another primary admin ID might get
similarly corrupted. What can I do to check the state of this system
to provide some assurance that there isn't some general corruption?
I've had to do surgery on fubar registries before, I'd really rather
lose teeth.

3)
As one of the permissions tests to see what happened, we set the DTC
Coordinator service, RPC, and WMI to logon as Local System rather than
as "NT AUTHORITY\NetworkService". It all still seems to work fine but
I'm not sure what the ramifications are. Comments? This is NOT my
area of expertise so please go easy on me.

Thanks!

 

[Guest]

What's wrong with the user ID? Can you log into Windows as that user ID? Do
you get an error message when you try? If you can log into Windows as that
user, can you load that ASP page and see if there are any more verbose error
messages, to get clues? Are there any error messages in any of the Windows
event logs, including the security log? What if you run regmon, filemon and
Process Explorer [especially the last one] from www.sysinternals.com while
you try an unsuccessful task launch as this user? I assume that script works
if you try running it as a different admin user? Is there any chance that
account needs to authenticate to remote systems, and it's locked out or the
password has changed on either the local or remote system?

 

[Tony Gravagno]

Follow-up: Per my concern #2, one of my other users in the admin group
is no longer recognized as being in that group when I try to start a
WMI process. I'm concerned that every time I use an ID for WMI and
then reboot I'm going to lose privs for my IDs.

Has anyone seen this? What kind of diagnostics can I do to figure out
why user IDs are suddenly no longer recognized as being admins when
the configuration clearly shows they are?

I'm really concerned that there is some general registry corruption
going on here and at some point I may lose my primary admin users IDs.

Thanks.

 

[Karl Levinson]

Follow-up: Per my concern #2, one of my other users in the admin group
is no longer recognized as being in that group when I try to start a
WMI process. I'm concerned that every time I use an ID for WMI and
then reboot I'm going to lose privs for my IDs.

Has anyone seen this? What kind of diagnostics can I do to figure out
why user IDs are suddenly no longer recognized as being admins when
the configuration clearly shows they are?

I'm really concerned that there is some general registry corruption
going on here and at some point I may lose my primary admin users IDs.

I doubt this indicates any kind of growing or spreading problem that would
affect anything else relating to admin privileges. Corruption doesn't
happen predictably like this. I suspect a single configuration issue
somewhere, and I would be surprised if that configuration changed by itself.
We just need to find it and change it.

Also, being an administrator isn't exactly related to running WMI.
Non-admins can do so, with the proper permissions. It's just that admins
have this privilege by default, until that permission is manually removed
from those accounts by a person.

What about the questions I asked in my other post?