Need help getting permissions used by removed default trustee

[Paul Randall]

Hi,
(forgot to include subject on previous post)
I'm not sure what group to post this in, so please let me know of a better
place.
I did not post to Microsoft's WMI newsgroup because it is used so little.

I'm trying to understand and optimize my new Vista computer. All I have
done with it so far is boot up the preinstalled Vista Home Basic, and
explored some of its features and non-features (like lack of built-in fax
capability).

On a separate WXPPro-Sp2 system, my WMI service has failed. So I downloaded
Microsoft's WMI Diagnosis Utility -- Version 2.0 from
http://www.microsoft.com/downloads/...D6-18D1-4D05-B11E-4C64192AE97D&displaylang=en

On my WXP system WmiDiag.vbs showed many problems, which I am trying to
resolve.
I ran WmiDiag.vbs on my new Vista system, expecting no errors, but expecting
to see how it works on a good system. In the summary section of the output,
I get:
(0) ** 32 error(s) 0x80041003 - (WBEM_E_ACCESS_DENIED) Current user does not
have permission to perform the action
(0) ** => This error is typically due to insufficient or restricted
permissions in the examined system.
(0) ** => ENSURE you are a Full Administrator of the examined system, if the
WMI provider or the
(0) ** WMI system security do not enforce any restrictions.

Well, of course I'm the only admistrator of the system, so I assume (silly
me) that I am the 'Full Administrator'.

In the details section of the output, I see things like:
(0) ** WMI namespace security for 'Root':
...................................................................................
MODIFIED.
(1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been REMOVED!
(0) ** - REMOVED ACE:
(0) ** ACEType: &h0
(0) ** ACCESS_ALLOWED_ACE_TYPE
(0) ** ACEFlags: &h12
(0) ** CONTAINER_INHERIT_ACE
(0) ** INHERITED_ACE
(0) ** ACEMask: &h6003F
(0) ** WBEM_ENABLE
(0) ** WBEM_METHOD_EXECUTE
(0) ** WBEM_FULL_WRITE_REP
(0) ** WBEM_PARTIAL_WRITE_REP
(0) ** WBEM_WRITE_PROVIDER
(0) ** WBEM_REMOTE_ACCESS
(0) ** WBEM_WRITE_DAC
(0) ** WBEM_READ_CONTROL
(0) **
(0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
(0) ** Removing default security will cause some operations to fail!
(0) ** It is possible to fix this issue by editing the security
descriptor and adding the ACE.
(0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.

I get the feeling that during the initial boot/setup process, the Default
trustee 'BUILTIN\ADMINISTRATORS' was created and did some stuff, and was
then deleted before I got control of the computer, and that the trustee had
credentials over some things that I, as the sole owner and user of the
computer, do not currently have.

Question 1: Is it possible to give myself, the only administrator, full
control over everything on my computer, including what this defunct trustee
had, and if so, how? I'd prefer a VBScript way, but any help would be
appreciated.

Question 2: Where can I read up on this stuff? URLs greatly appreciated.

Thanks for any help you can give me.

-Paul Randall

 

[Tom]

To gain full control of your computer you must disable UAC. The people at
Vista don't like this because it is a security feature they are pushing. But
you asked and so here is what you do.

1. Click Start
2. Control Panel
3. User Accounts
4. Make changes to your User Account
5.Turn User Account control on or off
6. Uncheck the box...Use User account control (UAC) to help protect your
computer.
7. Click OK button

Thats it. Now you have control of your computer.

NEXT... to keep from logging in every time you turn on the computer,

Still in control panel...
1. Click Parental Controls
2. At the computer Administrator icon click to remove password or (no
password).

I have been reprimanded twice or more on 2 newsgroups for giving out this
info.
Let me know if this fixes your problem.
Tom

P.S. My wife bought an HP with Vista and she was ready to toss it into the
garbage can until I disabled the permissions thingy. Now she loves it. She
also had an XP before.

 

[Jimmy Brush]

Hello,

This is due to the new security feature of Windows Vista that Tom referred
to (UAC).

He explained how to turn it off, but he didn't explain what it does, what
benefits it gives you, or how to do what you were trying to do with UAC
turned on .

Quick solution: Right-click command prompt, click run as administrator, then
start your vbs script, and it will work fine.

Now on to the explanation of what's going on ...

Very simply, UAC draws a line on your computer between administrative
programs and non-administrative programs.

UAC then enforces a single rule: Programs must have your permission in order
to have administrative power.

This gives you the following benefits:

- Programs that don't need admin power, don't have it (why give someone the
keys to your car if they will never drive it)

- Any program that wants full control over your computer must ask you for
permission, or you must explicitly start it with admin power by
right-clicking it and clicking Run As Administrator

Specifically, this protects you from programs that:

- Would try to perform administrative operations without your knowledge or
consent

- Would try to be sneaky and start an administrative program without your
knowledge/consent to bypass restrictions ("Hey I didn't start format.exe, I
don't want it to run!")

- Would try to abuse/exploit a currently running administrative program in
order to take control over your computer

So, here's how to successfully use Vista when logged in as an administrator
with UAC turned on:

Just remember that if you are starting a program or performing an action and
it doesn't prompt, then it will not have administrative control over your
computer.

- When running command-line programs: You will need to run administrative
command-line programs from an administrative command prompt (right-click
command prompt and click Run As Administrator)

- When running a Vista-compatible program: You don't have to do anything
special, these programs will prompt you automatically if they want admin
access to your computer

- When running old programs not designed for Vista: If these programs needs
admin access to your computer, right-click them and click Run As
Administrator. If you use it a lot, right-click the program, click
properties, click compatability, and put a check next to always run as
administrator. This will cause the program to automatically prompt every
time it is run.

Turning off UAC takes this extra control away from you and makes things work
like Windows XP, where any program that happens to run on your computer can
do anything it wants to your computer.

Also, turning off UAC disables Internet Explorer protected mode, because it
uses UAC's seperation-of-privilege in order to work.

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

 

[Hugh Wyn Griffith]

Now you have control of your computer.

Except for the things you can't do with UAC turned off .......

 

[Paul Randall]

Hi, Tom
Thanks for the help. Replies inline...

To gain full control of your computer you must disable UAC. The people at
Vista don't like this because it is a security feature they are pushing.
But
you asked and so here is what you do.

1. Click Start
2. Control Panel
3. User Accounts
4. Make changes to your User Account
5.Turn User Account control on or off

'Turn User Account control on or off' does not show up in the list of
things to do. There is a blank line where it probably should be. I have
the Vista Designed by Idiots for Idiots version (home basic).

Is there a registry entry I can change that turns off UAC?
I've seen this:
http://vistasupport.mvps.org/disable_user_account_control_for_the_administrator_account_only.htm,
and will try it later today.

6. Uncheck the box...Use User account control (UAC) to help protect your
computer.
7. Click OK button

Thats it. Now you have control of your computer.

NEXT... to keep from logging in every time you turn on the computer,

Still in control panel...
1. Click Parental Controls
2. At the computer Administrator icon click to remove password or (no
password).

Having sole access to this computer, I did not initially set up a password.
Is it possible this is the reason I don't have access to 'Turn User Account
control on or off'?

I have been reprimanded twice or more on 2 newsgroups for giving out this
info.
Let me know if this fixes your problem.
Tom

P.S. My wife bought an HP with Vista and she was ready to toss it into the
garbage can until I disabled the permissions thingy. Now she loves it. She
also had an XP before.

You sound like you know a lot about setting up user accounts on Vista. I
want to set up an elderly couple's new laptop with Vista Home Basic, with
three accounts -- Administrator and two users. At bootup, I want icons to
show up only for the two users. I don't want either one to have to enter
passwords to get into their accounts. On one account I want to start up
Internet Explorer automatically, and on the other, I want to start
Solitaire.

Is it possible?
If so, can you outline the procedure?

Thanks for your help.

-Paul Randall

 

[Guest]

But what about programs like my Spyware and Virus programs that always are
constantly updating themselves and thus continually keep pestering me to
Allow them to do their automatic updating things?
That was soooo annoying having those popup messages every single time I
startup the computer or any time during using the computer.
I don't want to have to keep approving petty little things all the time.

thanx.............md

 

[Paul Randall]

- When running command-line programs: You will need to run administrative
command-line programs from an administrative command prompt (right-click
command prompt and click Run As Administrator)

Thanks for the info.

In my previous post, I mentioned that I had not specified any password for
the single account I created on initial startup of the preinstalled Vista
Home Basic.

Today, I put the computer's hard drive (spare hard drive, actually) back
into the computer's initial out-of-the-box state and specified a password
for the single account I created on first boot-up.

It took me a while to figure out that I have to navigate to Cmd.exe or a
link to it, and right click on it, choosing Run as Administrator. But I
finally got Microsoft's WMIDiag.vbs to run with correct permissions that it
completed with a success message and reported no permissions problems.

From the outputs of WMIDiag.vbs that I've gotten this time and previously,
I've come to the conclusion that there are at least three Administrator
privilege levels with UAC turned on.

1) Reduced privileges if the administrator account has no password. Perhaps
the lack of a password also prevents raising the privileges in any manner.

2) Normal privileges if the administrator account has a password.

3) Elevated privileges if 'run as administrator' context is used.

Am I right, wrong, misguided???
Is there a URL that explains it for dummies?
Is there an easy way to switch the administrator account back and forth
between having a password and not having a password to investigate the
effects of both situations?

-Paul Randall

 

[Jimmy Brush]

The privileges assigned to your admin account is the same, regardless of
whether your account has a password or not.

Programs that run after a prompt or are started by a program that prompted,
run with full admin privileges.

Programs that do not prompt and are started by a program that did not
prompt, run as if a standard user had started them.



--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/