D
David Woodward
I am a network administrator and we have recently upgrade 20+ computers from
Windows 2000 Pro to Windows XP SP1. (We are holding off on upgrading the
rest until we determine if there are any other issues that may be more
critical than these)
The following problems only appear to exist on system upgraded from Windows
2000 Pro *SP4*. Systems that had Windows 2000 Pro *SP3 or below* have
upgraded with no problems at all. (So far)
I have figured out how to remedy each of these problems but I'm wondering if
anyone else is having similar problems. (If so, is Microsoft is aware that
these problems exist? Patches please!)
------------- Problem 1 -------------
After the upgrade if you enable Remote Desktop administrators are still
unable to take control of the system. The problem is that the Terminal
Services Privileges have not been configured properly. (See below)
Under [Control Panel -> Administrative Tools -> Local Security Policy ->
User Rights Assignment -> Allow logon through Terminal Services] there are
no users listed.
From a fresh install or an upgrade from Win2K Pro *SP3 or less*, this policy
has "Administrators; Remote Desktop Users" listed for access. Once these
groups are added to the systems that were upgraded from SP4, everything
works fine.
------------- Problem 2 -------------
The second problem I've run into is that the remote management features are
all but disabled on these systems.
If you try to edit a remote system's registry after it has been upgraded you
do not have access to the HKEY_LOCAL_MACHINE or HKEY_CURRENT_USERS hives.
Also, if you try to connect to one of the remote systems through computer
managment you will be able to connect but not perform many functions at all.
If you try to view the event log, system summary, performance logs/alerts,
or device manager you will get an error stating that "Access is denied"
The resolution to both of these problems is to log in to the systems locally
and grant "LOCAL SERVICE" read permissions to the following registry key.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg
Once the LOCAL SERVICE has read access to this key all of the remote
management and remote registry editing features work correctly. Once again,
upgrades from Windows 2000 SP3 or below already have this registry
permission set and all is well.
-------------------------------------
So is anyone elese having these problems? Care to try to reproduce them for
me?
(Much thanks to Woody Guo for the great support in helping me resolve the
remote management issues)
--David
Windows 2000 Pro to Windows XP SP1. (We are holding off on upgrading the
rest until we determine if there are any other issues that may be more
critical than these)
The following problems only appear to exist on system upgraded from Windows
2000 Pro *SP4*. Systems that had Windows 2000 Pro *SP3 or below* have
upgraded with no problems at all. (So far)
I have figured out how to remedy each of these problems but I'm wondering if
anyone else is having similar problems. (If so, is Microsoft is aware that
these problems exist? Patches please!)
------------- Problem 1 -------------
After the upgrade if you enable Remote Desktop administrators are still
unable to take control of the system. The problem is that the Terminal
Services Privileges have not been configured properly. (See below)
Under [Control Panel -> Administrative Tools -> Local Security Policy ->
User Rights Assignment -> Allow logon through Terminal Services] there are
no users listed.
From a fresh install or an upgrade from Win2K Pro *SP3 or less*, this policy
has "Administrators; Remote Desktop Users" listed for access. Once these
groups are added to the systems that were upgraded from SP4, everything
works fine.
------------- Problem 2 -------------
The second problem I've run into is that the remote management features are
all but disabled on these systems.
If you try to edit a remote system's registry after it has been upgraded you
do not have access to the HKEY_LOCAL_MACHINE or HKEY_CURRENT_USERS hives.
Also, if you try to connect to one of the remote systems through computer
managment you will be able to connect but not perform many functions at all.
If you try to view the event log, system summary, performance logs/alerts,
or device manager you will get an error stating that "Access is denied"
The resolution to both of these problems is to log in to the systems locally
and grant "LOCAL SERVICE" read permissions to the following registry key.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg
Once the LOCAL SERVICE has read access to this key all of the remote
management and remote registry editing features work correctly. Once again,
upgrades from Windows 2000 SP3 or below already have this registry
permission set and all is well.
-------------------------------------
So is anyone elese having these problems? Care to try to reproduce them for
me?
(Much thanks to Woody Guo for the great support in helping me resolve the
remote management issues)
--David