Access denied on remote registry access, from Win2003 sp1

[Jan F. Jacobsen]

Hi ....



Your help would be greatly appreciated.



Having developed a native C win32 system, that runs as a service, as LocalSystem account on a Windows 2003 server.



This service is accessing data (RegConnectRegistry() - read and writes) on remote client's (NT4 sp6a, W2K sp4 XP sp2 and W2003)

registry (HKLM\Software aso.), connecting as a domain administrator. No problem - every thing is ok.

But after updating the Windows 2003 server (the server with the service) to service pack 1,

My service gets 'access denied' when trying to access remote registry on all Windows 2000 professional client's,

but no problems on nt4, xp and w2003.



This problem can be replicated with help of native tools, like this:

1.. Use cmsasuser.exe on a windows 2003 server (can be found on the Internet), start it like this: cmdasuser localsystem, this will launch a command box in the security context of the localsystem.
2.. In this cmd box connect to at client computer like this: net use * \\client\c$ /u:domainadmin password
3.. Start (in same cmd box) regedit.exe and connect to the client's registry.
4.. Try this procedure with and without sp1 and against nt4, w2k, xp and w2003 computers.


Is this a bug in w2003 sp1 or ???





Regards

Jan

Denmark

 

[Dave Patrick]

Try setting up failure auditing on the local machine hive (affected
machines). Run regedt32.exe then browse to HKLM, then
Edit|Permissions|Advanced|Auditing|Add|"everyone"|OK then check the "Failed"
box on Full Control, Set Value, Create Subkey, Enumerate Subkey, Delete,
Create Link

Then check the Event log security for errors.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
Hi ....



Your help would be greatly appreciated.



Having developed a native C win32 system, that runs as a service, as
LocalSystem account on a Windows 2003 server.



This service is accessing data (RegConnectRegistry() - read and writes) on
remote client's (NT4 sp6a, W2K sp4 XP sp2 and W2003)

registry (HKLM\Software aso.), connecting as a domain administrator. No
problem - every thing is ok.

But after updating the Windows 2003 server (the server with the service) to
service pack 1,

My service gets 'access denied' when trying to access remote registry on all
Windows 2000 professional client's,

but no problems on nt4, xp and w2003.



This problem can be replicated with help of native tools, like this:

1.. Use cmsasuser.exe on a windows 2003 server (can be found on the
Internet), start it like this: cmdasuser localsystem, this will launch a
command box in the security context of the localsystem.
2.. In this cmd box connect to at client computer like this: net use *
\\client\c$ /u:domainadmin password
3.. Start (in same cmd box) regedit.exe and connect to the client's
registry.
4.. Try this procedure with and without sp1 and against nt4, w2k, xp and
w2003 computers.


Is this a bug in w2003 sp1 or ???





Regards

Jan

Denmark

 

[Jan F. Jacobsen]

Nothing shows up in the security event log, so the access must be blocked before hitting the registry!
If adding the built-in group 'network' to the local administrators group, for testing - everything works again.

--
Regards

Jan F. Jacobsen
Microsoft Certified Systems Engineer

Try setting up failure auditing on the local machine hive (affected
machines). Run regedt32.exe then browse to HKLM, then
Edit|Permissions|Advanced|Auditing|Add|"everyone"|OK then check the "Failed"
box on Full Control, Set Value, Create Subkey, Enumerate Subkey, Delete,
Create Link

Then check the Event log security for errors.


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
Hi ....



Your help would be greatly appreciated.



Having developed a native C win32 system, that runs as a service, as
LocalSystem account on a Windows 2003 server.



This service is accessing data (RegConnectRegistry() - read and writes) on
remote client's (NT4 sp6a, W2K sp4 XP sp2 and W2003)

registry (HKLM\Software aso.), connecting as a domain administrator. No
problem - every thing is ok.

But after updating the Windows 2003 server (the server with the service) to
service pack 1,

My service gets 'access denied' when trying to access remote registry on all
Windows 2000 professional client's,

but no problems on nt4, xp and w2003.



This problem can be replicated with help of native tools, like this:

1.. Use cmsasuser.exe on a windows 2003 server (can be found on the
Internet), start it like this: cmdasuser localsystem, this will launch a
command box in the security context of the localsystem.
2.. In this cmd box connect to at client computer like this: net use *
\\client\c$ /u:domainadmin password
3.. Start (in same cmd box) regedit.exe and connect to the client's
registry.
4.. Try this procedure with and without sp1 and against nt4, w2k, xp and
w2003 computers.


Is this a bug in w2003 sp1 or ???





Regards

Jan

Denmark

 

[Dave Patrick]

Yes then I would agree. Your problem lies somewhere within a policy for
machine access from the network. Control Panel|Admin Tools|Local Security
Policy\Local Policies

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
Nothing shows up in the security event log, so the access must be blocked
before hitting the registry!
If adding the built-in group 'network' to the local administrators group,
for testing - everything works again.