XP SP2 Network connections gone!

[Tim]

After loading SP2 the Network Connections icons are just
gone! Internet still works but can't change anything with
the connection, there are no icons...the firewall says
setting were corrupted and to click default but that
doesn't work either...

Tried several different things.... works on a non domain
system but as soon as it is added to the enterprise
domain and security policies are applied bingo the
Network Connections are gone.....

Any Idea's?

 

[tim]

Is there a setting to hide the icons in the software security policy,
or something along those lines?

 

[Tim]

I looked in the gpedit.msc and didn't see anything that
jumped out at me....

I must say this only happens after we join the systems to
the domain and Group Policy is applied (stand alone they
work fine).... we are using Test Boxes before deploying
to the rest of the network... none of the test boxes
work... we have about 400 systems on our subnet (OU) out
of about 25 thousand in the domain.... so we want to get
it right...

 

[tim]

I'm using xp pro, on a network of one. I've seen it happen on my
computer at times. I usually just delete the connection, and create a
new one. But if yours is disappearing somewhere down the line, it
probably wouldn't help. Sorry I don't know more.

 

[Hans-Georg Michna]

After loading SP2 the Network Connections icons are just
gone! Internet still works but can't change anything with
the connection, there are no icons...the firewall says
setting were corrupted and to click default but that
doesn't work either...

Tried several different things.... works on a non domain
system but as soon as it is added to the enterprise
domain and security policies are applied bingo the
Network Connections are gone.....

Tim,

the following Microsoft Knowledge Base article refers to a
similar problem with Service Pack 1 and may still apply.

You cannot create a network connection after you restore Windows
XP
http://support.microsoft.com/?kbid=329441

(This is a citation from http://www.michna.com/kb/WxSP2.htm.)

Hans-Georg

 

[George Birbilis]

*** citing the following reply of mine to some other e-mail (not sure what
caused the problem on my machine, maybe Sygate Personal Firewall which I had
"exited" before installing restarted after reboot [I should have also told
it instead to allow all connections instead of exiting it, so that it would
keep that setting after reboot])

----

In my system I found out the XPSP2 setup had failed to compete:

it was installing a service to finish up stuff after reboot, but that
service (and many others on the PC) was dependent on RPCSS service which was
failing to start cause the XPSP2 had changed the user account for that
service to "NetworkService" (it had also changed some other services to
"LocalService" and they were failing to start too) from "LocalSystem". In
some of those service account change cases it had "NT AUTHORITY\" prefix
there, that one doesn't seem to be the problem though

the problem was it hadn't created those accounts! only solution was to fix
them to use "LocalSystem" again (obviously they wanted to make those
accounts with lower priviledges, but didn't know what priviledges to give to
such accounts, what group to put them into etc., plus since RPCSS wasn't
working the MMC properties dialog didn't show up and various other ugly
behaviour - luckily "regedit" worked)

so using "regedit" or "regedt32" (prefer the 1st) I had to go to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

and search for all services that had the value "ObjectName" set to anything
else than "LocalSystem", esp. "NT AUTHORITY\NetworkService" or
"LocalService" and changed them to "LocalSystem" and then those services
were starting OK again and the system started functioning OK. First do this
to "rpcss" service, since it's critical for many other services to load too

 

[Hans-Georg Michna]

In my system I found out the XPSP2 setup had failed to compete:

it was installing a service to finish up stuff after reboot, but that
service (and many others on the PC) was dependent on RPCSS service which was
failing to start cause the XPSP2 had changed the user account for that
service to "NetworkService" (it had also changed some other services to
"LocalService" and they were failing to start too) from "LocalSystem". In
some of those service account change cases it had "NT AUTHORITY\" prefix
there, that one doesn't seem to be the problem though

the problem was it hadn't created those accounts!

George,

this is strange. I don't have any accounts with these names
either, yet on my computers the services start just fine. I
think these services are internal ones that don't show up in
User Manager or Computer Management.

Where did you check to find out whether these users exist?

Hans-Georg

 

[George Birbilis]

this is strange. I don't have any accounts with these names

either, yet on my computers the services start just fine. I
think these services are internal ones that don't show up in
User Manager or Computer Management.

Where did you check to find out whether these users exist?

Hans-Georg

I check at MMC, users&groups, where all the other accounts do show up

the strangest thing is that I uninstalled Sygate Personal Firewall and AVAST
antivirus (after I had fixed the problem manually as I said in that previous
e-mail and all was working again fine) and I reinstalled XP SP2 to see if
the problem had been the firewall and AGAIN it did the same thing (luckily
now I new how to solve the problem)

I'm worried though that "LocalSystem" is an account with too many rights,
but don't know how to create the
NT Authority\NetworkService
and
LocalService
accounts (plus why the value in the registry is called "ObjectName")

maybe it's not an account but something else? (after all "LocalSystem" isn't
shown as an account either at "Users & Groups")

I think "LocalSystem" is shown at the security dialog where you give rights
to files etc., maybe its some default internal account for the system, but
wonder how I can add the NetworkService and LocalService ones too (I'll have
to find another WinXP SP2 machine that works OK in the future and scan the
registry for those names to see if they're defined somewhere in that
registry but not in mine)

thanks in advance for any info,
I wonder why this problem happened and glad it now works OK (it's a compaq
nx7000 with WinXP Pro, all updates were installed when I applied WinXP SP2
english from the MSDN universal DVD - unless the online version was newer
and had some more fixes, which I find unlikely since both said SP2 and
didn't see any online info about newer SP2 version although I had checked
first to be sure before installing)

 

[George Birbilis]

[news://microsoft.public.windowsxp.setup_deployment]

Finally, I did find the cause of all those problems I was having with
LocalService and NetworkService accounts (and related services not starting
if one didn't change them to use LocalSystem account [from registry editor,
started using task manager - shift+esc to show task manager - since no
desktop or MMC property pages etc. was available])

After I thought I had fixed my system (as I shortly describe above and
explained in detail in previous postings), I noticed that the "system
information" utility wasn't showing ANY info, plus the "System" applet of
Control Panel wasn't showing details about my computer model etc. Going to
Event Viewer I noticed something that a DCOM server couldn't start and that
the user invoking it was "NT Authority\NetworkService". It seemed to me that
some Windows code had embedded authentication info for talking to some
service or something via COM/DCOM and was trying to use "NetworkService"
account (using "impersonation" maybe). Of course it was failing since I had
those services now set to use "LocalSystem" account, so that my system would
work OK

Seeing that it came to me that the problem might have been that those two
accounts may not have been able to access the "Windows" folder and the
"Documents and Settings" folder's "NetworkService" and "LocalService"
subfolders (where it seems the profiles for those two accounts are kept [in
hidden subfolders])

so I gave at each such subfolder full rights for the respective account
(NetworkService, LocalService)
and gave "Everyone" read/execute access at the "Windows" folder
then restored the services accounts at the registry again to the settings
WinXP SP2 had set it to use before (that is use "NT
Authority\NetworkService" and "LocalService" accounts for some services
instead of "LocalSystem") and rebooted.

All started fine, obviously the original problem with WinXP SP2 setup was
that "RpcSs" service and some others running under NetworkService or
LocalService accounts didn't have enough rights to system files! I wonder
why the Windows XP SP2 setup didn't give the appropriate rights to the
files/folders needed for those two accounts

The problem must have been caused because sometime ago before installing XP
SP2 I had removed "Everyone" from ACL (Access Control List) at all my
folders (I had kept only Administrator and SYSTEM accounts with full access
for security reasons, since Compaq/HP had my Compaq nx7000 with WinXPpro
setup to use FAT32 [!@#@!$!#$] and after I upgraded to NTFS all files had
full permissions for "Everyone" which is very bad, security-wise)

Now if anyone could point to some MS utility that suggests correct file
permissions at a system's standard folders it's welcome since I don't think
giving "Everyone" read/execute access to Windows folder is safe (even if I
just gave NetworkService and LocalService accounts read/execute access to
Windows folder instead of Everyone, I still don't know if that's too much
rights to give)

*** hope MS fixes SP2 to update ACLs for the accounts the system uses if the
installer detects they don't have the needed permissions, plus make some
tool for checking file permissions on a system. Talking to HP/Compaq, Acer
etc. and make them to install WinXPpro laptops with NTFS instead of FAT32
wouldn't hurt either!

cheers,
George

 

[Hans-Georg Michna]

Now if anyone could point to some MS utility that suggests correct file
permissions at a system's standard folders it's welcome since I don't think
giving "Everyone" read/execute access to Windows folder is safe (even if I
just gave NetworkService and LocalService accounts read/execute access to
Windows folder instead of Everyone, I still don't know if that's too much
rights to give)

George,

there is some tool or procedure by Microsoft, but I can't find
it right now. I used it once, some time ago.

Hans-Georg

 

[Torgeir Bakken \(MVP\)]

(snip)
Now if anyone could point to some MS utility that suggests correct file
permissions at a system's standard folders it's welcome since I don't think
giving "Everyone" read/execute access to Windows folder is safe (even if I
just gave NetworkService and LocalService accounts read/execute access to
Windows folder instead of Everyone, I still don't know if that's too much
rights to give)

Hi
Hi

Most files in the Windows (sub)folders have "Everyone" read/execute
access, so I don't think your configuration is very unsafe.

But if you want to:

How To Reset Security Settings Back to the Defaults
http://support.microsoft.com/?kbid=313222

Note: secedit.exe is not available for WinXP Home

 

[Hans-Georg Michna]

Now if anyone could point to some MS utility that suggests correct file
permissions at a system's standard folders it's welcome since I don't think
giving "Everyone" read/execute access to Windows folder is safe (even if I
just gave NetworkService and LocalService accounts read/execute access to
Windows folder instead of Everyone, I still don't know if that's too much
rights to give)

George,

oops, my mind was totally absent. I actually have that on my own
site, but Torgeir of course knew it and replied already.

Hans-Georg