Problems after Windows XP Upgrade

[David Woodward]

I am a network administrator and we have recently upgrade 20+ computers from
Windows 2000 Pro to Windows XP SP1. (We are holding off on upgrading the
rest until we determine if there are any other issues that may be more
critical than these)

The following problems only appear to exist on system upgraded from Windows
2000 Pro *SP4*. Systems that had Windows 2000 Pro *SP3 or below* have
upgraded with no problems at all. (So far)

I have figured out how to remedy each of these problems but I'm wondering if
anyone else is having similar problems. (If so, is Microsoft is aware that
these problems exist? Patches please!)

------------- Problem 1 -------------
After the upgrade if you enable Remote Desktop administrators are still
unable to take control of the system. The problem is that the Terminal
Services Privileges have not been configured properly. (See below)

Under [Control Panel -> Administrative Tools -> Local Security Policy ->
User Rights Assignment -> Allow logon through Terminal Services] there are
no users listed.

From a fresh install or an upgrade from Win2K Pro *SP3 or less*, this policy
has "Administrators; Remote Desktop Users" listed for access. Once these
groups are added to the systems that were upgraded from SP4, everything
works fine.

------------- Problem 2 -------------
The second problem I've run into is that the remote management features are
all but disabled on these systems.

If you try to edit a remote system's registry after it has been upgraded you
do not have access to the HKEY_LOCAL_MACHINE or HKEY_CURRENT_USERS hives.

Also, if you try to connect to one of the remote systems through computer
managment you will be able to connect but not perform many functions at all.
If you try to view the event log, system summary, performance logs/alerts,
or device manager you will get an error stating that "Access is denied"

The resolution to both of these problems is to log in to the systems locally
and grant "LOCAL SERVICE" read permissions to the following registry key.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg

Once the LOCAL SERVICE has read access to this key all of the remote
management and remote registry editing features work correctly. Once again,
upgrades from Windows 2000 SP3 or below already have this registry
permission set and all is well.

-------------------------------------

So is anyone elese having these problems? Care to try to reproduce them for
me?

(Much thanks to Woody Guo for the great support in helping me resolve the
remote management issues)

--David

 

[Steven Liu]

Hi David,

As I test, I re-pro the problems.

I think it's the problem of the upgrade.

There has no fix yet. The workaround is to manyally modify the settings.

Sorry about this.

Thanks for using Microsoft News Group!

Sincerely,

Steven Liu [MSFT]

Microsoft Online Partner Support

MCSE 2000

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

 

[David Woodward]

Thanks alot Steven!

It's nice to know that someone took enough interest to try to reproduce the
problem for me. It's also a big relief that it isn't anything I did with
the installation process to cause the problem.

Thanks again,
David Woodward

 

[gelmcp]

Thanks for the tip. I was experiencing the same thing trying to connect
to XP and Server 2003. Adding the permissions to the registry restored
full functionality to (remote) Computer Management and remote regedit
connections.
Strange side note - We noticed that we could see Local Users and Groups
when connecting from 2000, but not from XP. Other than that, 2000
showed similar problems remotely connecting to XP/2003.


gelmcp

 

[christophe]

hi and thx for this tip.

i upgrade some 2000 to xp pro by network and i've customized my xp
installation to modify the problem 2.
but i'm looking for a solution to include directly in the source share
directory, on a batch files to write in the registry the right for the
domain admins to the terminal services.

for example, i resolve the problem with the service local with a batch
that i add to my I386\$oem$\ :

\\server\apps\DistribXPpro\I386\$oem$\patchs.bat

and the first lines of ths files are:

@echo off
echo.
start /wait \\server\share\apps\DistribXPpro\I386\$oem$\subinacl.exe
/keyreg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
/grant="SERVICE LOCAL"=R"
echo.

i use the subinacl tools from microsoft to do this.

my question is: what is the path in the registry to modify the rights
of terminal service access ??


christophe