Admin / Domain Admin rights problem

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,
I'm using SBS2000 as my primary DC.
I have a problem - the Administrator account cannot access 'HKLM' keys in
the registry. I've been told it is because the Administrator is not a member
of the Domain Admins group. Except, accoring to SBS Admin console, it is.
Furthermore I can't change the permissions for HKLM using the registry
editor. I need to give the account access to HKLM but don't know what else
to do - help!

Thanks

Andy
10 answers Last reply
More about admin domain admin rights problem
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Evidently you can view the security settings on HKLM
    Who/What account/group does have full permissions?
    You will need to use an account that does have the ability.

    --
    Roger Abell
    Microsoft MVP (Windows Security)

    "Andy Roxburgh" <rallybob@hotmail.co.uk> wrote in message
    news:uamLJ1$eFHA.744@TK2MSFTNGP14.phx.gbl...
    > Hi,
    > I'm using SBS2000 as my primary DC.
    > I have a problem - the Administrator account cannot access 'HKLM' keys in
    > the registry. I've been told it is because the Administrator is not a
    member
    > of the Domain Admins group. Except, accoring to SBS Admin console, it is.
    > Furthermore I can't change the permissions for HKLM using the registry
    > editor. I need to give the account access to HKLM but don't know what else
    > to do - help!
    >
    > Thanks
    >
    > Andy
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Actually I can't view the security settings - a message pops up telling me I
    can change them but not view them... except when I try to change them it
    won't let me do that either.

    So I can't see what accounts have full permissions!

    Andy


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uQCeGDCfFHA.1948@TK2MSFTNGP12.phx.gbl...
    > Evidently you can view the security settings on HKLM
    > Who/What account/group does have full permissions?
    > You will need to use an account that does have the ability.
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    >
    > "Andy Roxburgh" <rallybob@hotmail.co.uk> wrote in message
    > news:uamLJ1$eFHA.744@TK2MSFTNGP14.phx.gbl...
    > > Hi,
    > > I'm using SBS2000 as my primary DC.
    > > I have a problem - the Administrator account cannot access 'HKLM' keys
    in
    > > the registry. I've been told it is because the Administrator is not a
    > member
    > > of the Domain Admins group. Except, accoring to SBS Admin console, it
    is.
    > > Furthermore I can't change the permissions for HKLM using the registry
    > > editor. I need to give the account access to HKLM but don't know what
    else
    > > to do - help!
    > >
    > > Thanks
    > >
    > > Andy
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Make sure that you are logging on as the administrator account and not some
    renamed administrator which is sometimes used as a domain account. The
    command "net user administrator" will display group membership. Also verify
    that domain admins is a member of the administrators group for the domain as
    it is possible for it to be removed. You should also run a full malware scan
    on your server being sure to use the latest definitions from your vendor.
    Also some "protection" packages can block access to the registry I am told.
    You may want to boot into safe mode to see if that helps. Subinacl is a tool
    that can be used to view and change file and registry permissions at the
    command line if need be. However it is very powerful and I would not use it
    unless you have a full image type backup of your server or you are very
    confident that you are using the right command possibly from trying it on a
    test computer first. Group Policy can also be used to manage registry
    permissions via computer configuration/Windows settings/security settings -
    registry though you need to be careful doing such and should unlink the
    Group Policy when done and needs to be linked to the proper OU where the
    computer accounts are. Improper use of file/registry permissions via Group
    Policy can cause performance problems in the domain. --- Steve

    http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&displaylang=en
    -- subinacl
    http://www.jsifaq.com/SUBR/tip8700/rh8724.htm -- Group Policy to manage
    file/registry permissions.

    "Andy Roxburgh" <rallybob@hotmail.co.uk> wrote in message
    news:uClPEQIfFHA.3936@TK2MSFTNGP14.phx.gbl...
    > Actually I can't view the security settings - a message pops up telling me
    > I
    > can change them but not view them... except when I try to change them it
    > won't let me do that either.
    >
    > So I can't see what accounts have full permissions!
    >
    > Andy
    >
    >
    >
    > "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    > news:uQCeGDCfFHA.1948@TK2MSFTNGP12.phx.gbl...
    >> Evidently you can view the security settings on HKLM
    >> Who/What account/group does have full permissions?
    >> You will need to use an account that does have the ability.
    >>
    >> --
    >> Roger Abell
    >> Microsoft MVP (Windows Security)
    >>
    >> "Andy Roxburgh" <rallybob@hotmail.co.uk> wrote in message
    >> news:uamLJ1$eFHA.744@TK2MSFTNGP14.phx.gbl...
    >> > Hi,
    >> > I'm using SBS2000 as my primary DC.
    >> > I have a problem - the Administrator account cannot access 'HKLM' keys
    > in
    >> > the registry. I've been told it is because the Administrator is not a
    >> member
    >> > of the Domain Admins group. Except, accoring to SBS Admin console, it
    > is.
    >> > Furthermore I can't change the permissions for HKLM using the registry
    >> > editor. I need to give the account access to HKLM but don't know what
    > else
    >> > to do - help!
    >> >
    >> > Thanks
    >> >
    >> > Andy
    >> >
    >> >
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steven,

    > Make sure that you are logging on as the administrator account and not
    some
    > renamed administrator which is sometimes used as a domain account. The
    > command "net user administrator" will display group membership.

    I get (exactly as output) :
    .....
    Logon Script
    User Profile
    Home Directory
    Last logon 6/30/2005 2:00pm

    Logon Hours Allowed All

    Local Group Memberships
    *Account Operators
    *Administrators
    *Backup operators
    *Server Operators
    *Print Operators

    Global Group Memberships
    *Exchange Services
    *Domain Admins
    *Domain Users
    *Enterprise Admins
    *Exchange Domain Serve
    *Group Policy Creator
    *Backoffice Internet U
    *Scheme Admins

    >Also verify
    > that domain admins is a member of the administrators group for the domain
    as
    > it is possible for it to be removed.

    I checked this with the SBS Admin console and it appears to be OK.

    >You should also run a full malware scan
    > on your server being sure to use the latest definitions from your vendor.

    Just tried a full AV scan and it consistently locks up half way through -
    not a great sign!
    Just ran MS Antyspyware beta and it's clean; will try a different AV scanner
    and try again.

    > Also some "protection" packages can block access to the registry I am
    told.
    > You may want to boot into safe mode to see if that helps.

    Will try this at the weekend - the server's in use at the moment.

    >Subinacl is a tool
    > that can be used to view and change file and registry permissions at the
    > command line if need be. However it is very powerful and I would not use
    it
    > unless you have a full image type backup of your server or you are very
    > confident that you are using the right command possibly from trying it on
    a
    > test computer first.

    Thanks! Have used it to show the HKLM permissions. Typing
    subinacl /key HKEY_LOCAL_MACHINE /display
    I get :

    ===========================
    +KeyReg HKEY_LOCAL_MACHINE
    ===========================
    /control=0x0
    /owner =builtin\administrators
    /primary group =system
    /audit ace count =0
    /perm. ace count =4

    /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2
    Key and SubKey - Type of Access:
    Full Control
    Detailed Access Flags :
    KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    KEY_CREATE_SUB_KEY-0x4
    KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10 KEY_CREATE_LINK-0x20
    DELETE-0x10000
    READ_CONTROL-0x20000 WRITE_DAC-0x40000 WRITE_OWNER-0x80000

    /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2
    Key and SubKey - Type of Access:
    Full Control
    Detailed Access Flags :
    KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    KEY_CREATE_SUB_KEY-0x4
    KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10 KEY_CREATE_LINK-0x20
    DELETE-0x10000
    READ_CONTROL-0x20000 WRITE_DAC-0x40000 WRITE_OWNER-0x80000

    /pace =everyone ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2
    Key and SubKey - Type of Access:
    Read
    Detailed Access Flags :
    KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    READ_CONTROL-0x20000

    /pace =restricted ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2
    Key and SubKey - Type of Access:
    Read
    Detailed Access Flags :
    KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    READ_CONTROL-0x20000


    and this compares to HKEY_USERS which I do have access to as follows:


    ===================
    +KeyReg HKEY_USERS
    ===================
    /control=0x0
    /owner =builtin\administrators
    /primary group =system
    /audit ace count =0
    /perm. ace count =4

    /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2
    Key and SubKey - Type of Access:
    Full Control
    Detailed Access Flags :
    KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    KEY_CREATE_SUB_KEY-0x4
    KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10 KEY_CREATE_LINK-0x20
    DELETE-0x10000
    READ_CONTROL-0x20000 WRITE_DAC-0x40000 WRITE_OWNER-0x80000

    /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2
    Key and SubKey - Type of Access:
    Full Control
    Detailed Access Flags :
    KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    KEY_CREATE_SUB_KEY-0x4
    KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10 KEY_CREATE_LINK-0x20
    DELETE-0x10000
    READ_CONTROL-0x20000 WRITE_DAC-0x40000 WRITE_OWNER-0x80000

    /pace =everyone ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2
    Key and SubKey - Type of Access:
    Read
    Detailed Access Flags :
    KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    READ_CONTROL-0x20000

    /pace =restricted ACCESS_ALLOWED_ACE_TYPE-0x0
    CONTAINER_INHERIT_ACE-0x2
    Key and SubKey - Type of Access:
    Read
    Detailed Access Flags :
    KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    READ_CONTROL-0x20000

    To me it looks fine; but there's definitely something wrong somewhere
    because it won't show HKLM permissions etc from regedit!

    Do you think I should try

    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f

    ?

    Ironically the reason I'm going through all this is so that I can create a
    ghost image - I'm using Veritas IDR and it's not playing ball.
    So I can't easily ghost the server before making changes.

    >Group Policy can also be used to manage registry
    > permissions via computer configuration/Windows settings/security
    settings -
    > registry though you need to be careful doing such and should unlink the
    > Group Policy when done and needs to be linked to the proper OU where the
    > computer accounts are. Improper use of file/registry permissions via
    Group
    > Policy can cause performance problems in the domain. --- Steve

    I don't appear to have the 'registry' item available under 'security
    settings'....

    It's not looking good is it??!

    Andy
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Hmm. From what I can tell it looks like subinacl shows that administrators
    have full control of HKLM. I am at a loss as why you can not edit it. I
    always use regedt32 for Windows 2000 so you may want to try that if you have
    not yet. If it was my computer I would not use subinacl until I had an image
    backup. As far as Group Policy - registry you will not see that in Local
    Group Policy but it should show in Domain Controller Security Policy if SBS
    has such. If you can not get for antivirus to work try using the SysClean
    utility from Trend Micro [see links below]. Just download Sysclean and the
    pattern file [after unzipping] into a common folder to run from - no
    installation is involved. --- Steve

    http://www.trendmicro.com/download/dcs.asp
    http://www.trendmicro.com/download/pattern.asp

    "Andy Roxburgh" <spamplease@hotmail.co.uk> wrote in message
    news:usMh4EYfFHA.3904@TK2MSFTNGP14.phx.gbl...
    > Hi Steven,
    >
    >> Make sure that you are logging on as the administrator account and not
    > some
    >> renamed administrator which is sometimes used as a domain account. The
    >> command "net user administrator" will display group membership.
    >
    > I get (exactly as output) :
    > ....
    > Logon Script
    > User Profile
    > Home Directory
    > Last logon 6/30/2005 2:00pm
    >
    > Logon Hours Allowed All
    >
    > Local Group Memberships
    > *Account Operators
    > *Administrators
    > *Backup operators
    > *Server Operators
    > *Print Operators
    >
    > Global Group Memberships
    > *Exchange Services
    > *Domain Admins
    > *Domain Users
    > *Enterprise Admins
    > *Exchange Domain Serve
    > *Group Policy Creator
    > *Backoffice Internet U
    > *Scheme Admins
    >
    >>Also verify
    >> that domain admins is a member of the administrators group for the domain
    > as
    >> it is possible for it to be removed.
    >
    > I checked this with the SBS Admin console and it appears to be OK.
    >
    >>You should also run a full malware scan
    >> on your server being sure to use the latest definitions from your vendor.
    >
    > Just tried a full AV scan and it consistently locks up half way through -
    > not a great sign!
    > Just ran MS Antyspyware beta and it's clean; will try a different AV
    > scanner
    > and try again.
    >
    >> Also some "protection" packages can block access to the registry I am
    > told.
    >> You may want to boot into safe mode to see if that helps.
    >
    > Will try this at the weekend - the server's in use at the moment.
    >
    >>Subinacl is a tool
    >> that can be used to view and change file and registry permissions at the
    >> command line if need be. However it is very powerful and I would not use
    > it
    >> unless you have a full image type backup of your server or you are very
    >> confident that you are using the right command possibly from trying it on
    > a
    >> test computer first.
    >
    > Thanks! Have used it to show the HKLM permissions. Typing
    > subinacl /key HKEY_LOCAL_MACHINE /display
    > I get :
    >
    > ===========================
    > +KeyReg HKEY_LOCAL_MACHINE
    > ===========================
    > /control=0x0
    > /owner =builtin\administrators
    > /primary group =system
    > /audit ace count =0
    > /perm. ace count =4
    >
    > /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
    > CONTAINER_INHERIT_ACE-0x2
    > Key and SubKey - Type of Access:
    > Full Control
    > Detailed Access Flags :
    > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    > KEY_CREATE_SUB_KEY-0x4
    > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10 KEY_CREATE_LINK-0x20
    > DELETE-0x10000
    > READ_CONTROL-0x20000 WRITE_DAC-0x40000 WRITE_OWNER-0x80000
    >
    > /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
    > CONTAINER_INHERIT_ACE-0x2
    > Key and SubKey - Type of Access:
    > Full Control
    > Detailed Access Flags :
    > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    > KEY_CREATE_SUB_KEY-0x4
    > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10 KEY_CREATE_LINK-0x20
    > DELETE-0x10000
    > READ_CONTROL-0x20000 WRITE_DAC-0x40000 WRITE_OWNER-0x80000
    >
    > /pace =everyone ACCESS_ALLOWED_ACE_TYPE-0x0
    > CONTAINER_INHERIT_ACE-0x2
    > Key and SubKey - Type of Access:
    > Read
    > Detailed Access Flags :
    > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > READ_CONTROL-0x20000
    >
    > /pace =restricted ACCESS_ALLOWED_ACE_TYPE-0x0
    > CONTAINER_INHERIT_ACE-0x2
    > Key and SubKey - Type of Access:
    > Read
    > Detailed Access Flags :
    > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > READ_CONTROL-0x20000
    >
    >
    >
    > and this compares to HKEY_USERS which I do have access to as follows:
    >
    >
    > ===================
    > +KeyReg HKEY_USERS
    > ===================
    > /control=0x0
    > /owner =builtin\administrators
    > /primary group =system
    > /audit ace count =0
    > /perm. ace count =4
    >
    > /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
    > CONTAINER_INHERIT_ACE-0x2
    > Key and SubKey - Type of Access:
    > Full Control
    > Detailed Access Flags :
    > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    > KEY_CREATE_SUB_KEY-0x4
    > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10 KEY_CREATE_LINK-0x20
    > DELETE-0x10000
    > READ_CONTROL-0x20000 WRITE_DAC-0x40000 WRITE_OWNER-0x80000
    >
    > /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
    > CONTAINER_INHERIT_ACE-0x2
    > Key and SubKey - Type of Access:
    > Full Control
    > Detailed Access Flags :
    > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    > KEY_CREATE_SUB_KEY-0x4
    > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10 KEY_CREATE_LINK-0x20
    > DELETE-0x10000
    > READ_CONTROL-0x20000 WRITE_DAC-0x40000 WRITE_OWNER-0x80000
    >
    > /pace =everyone ACCESS_ALLOWED_ACE_TYPE-0x0
    > CONTAINER_INHERIT_ACE-0x2
    > Key and SubKey - Type of Access:
    > Read
    > Detailed Access Flags :
    > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > READ_CONTROL-0x20000
    >
    > /pace =restricted ACCESS_ALLOWED_ACE_TYPE-0x0
    > CONTAINER_INHERIT_ACE-0x2
    > Key and SubKey - Type of Access:
    > Read
    > Detailed Access Flags :
    > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > READ_CONTROL-0x20000
    >
    > To me it looks fine; but there's definitely something wrong somewhere
    > because it won't show HKLM permissions etc from regedit!
    >
    > Do you think I should try
    >
    > subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
    > subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
    >
    > ?
    >
    > Ironically the reason I'm going through all this is so that I can create a
    > ghost image - I'm using Veritas IDR and it's not playing ball.
    > So I can't easily ghost the server before making changes.
    >
    >>Group Policy can also be used to manage registry
    >> permissions via computer configuration/Windows settings/security
    > settings -
    >> registry though you need to be careful doing such and should unlink the
    >> Group Policy when done and needs to be linked to the proper OU where the
    >> computer accounts are. Improper use of file/registry permissions via
    > Group
    >> Policy can cause performance problems in the domain. --- Steve
    >
    > I don't appear to have the 'registry' item available under 'security
    > settings'....
    >
    > It's not looking good is it??!
    >
    > Andy
    >
    >
    >
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    It sure is starting to sound like a malware based inhibition
    of registry tool access.

    --
    Roger
    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:e%233zjHbfFHA.1412@TK2MSFTNGP09.phx.gbl...
    > Hmm. From what I can tell it looks like subinacl shows that administrators
    > have full control of HKLM. I am at a loss as why you can not edit it. I
    > always use regedt32 for Windows 2000 so you may want to try that if you
    have
    > not yet. If it was my computer I would not use subinacl until I had an
    image
    > backup. As far as Group Policy - registry you will not see that in Local
    > Group Policy but it should show in Domain Controller Security Policy if
    SBS
    > has such. If you can not get for antivirus to work try using the SysClean
    > utility from Trend Micro [see links below]. Just download Sysclean and the
    > pattern file [after unzipping] into a common folder to run from - no
    > installation is involved. --- Steve
    >
    > http://www.trendmicro.com/download/dcs.asp
    > http://www.trendmicro.com/download/pattern.asp
    >
    > "Andy Roxburgh" <spamplease@hotmail.co.uk> wrote in message
    > news:usMh4EYfFHA.3904@TK2MSFTNGP14.phx.gbl...
    > > Hi Steven,
    > >
    > >> Make sure that you are logging on as the administrator account and not
    > > some
    > >> renamed administrator which is sometimes used as a domain account. The
    > >> command "net user administrator" will display group membership.
    > >
    > > I get (exactly as output) :
    > > ....
    > > Logon Script
    > > User Profile
    > > Home Directory
    > > Last logon 6/30/2005 2:00pm
    > >
    > > Logon Hours Allowed All
    > >
    > > Local Group Memberships
    > > *Account Operators
    > > *Administrators
    > > *Backup operators
    > > *Server Operators
    > > *Print Operators
    > >
    > > Global Group Memberships
    > > *Exchange Services
    > > *Domain Admins
    > > *Domain Users
    > > *Enterprise Admins
    > > *Exchange Domain Serve
    > > *Group Policy Creator
    > > *Backoffice Internet U
    > > *Scheme Admins
    > >
    > >>Also verify
    > >> that domain admins is a member of the administrators group for the
    domain
    > > as
    > >> it is possible for it to be removed.
    > >
    > > I checked this with the SBS Admin console and it appears to be OK.
    > >
    > >>You should also run a full malware scan
    > >> on your server being sure to use the latest definitions from your
    vendor.
    > >
    > > Just tried a full AV scan and it consistently locks up half way
    through -
    > > not a great sign!
    > > Just ran MS Antyspyware beta and it's clean; will try a different AV
    > > scanner
    > > and try again.
    > >
    > >> Also some "protection" packages can block access to the registry I am
    > > told.
    > >> You may want to boot into safe mode to see if that helps.
    > >
    > > Will try this at the weekend - the server's in use at the moment.
    > >
    > >>Subinacl is a tool
    > >> that can be used to view and change file and registry permissions at
    the
    > >> command line if need be. However it is very powerful and I would not
    use
    > > it
    > >> unless you have a full image type backup of your server or you are very
    > >> confident that you are using the right command possibly from trying it
    on
    > > a
    > >> test computer first.
    > >
    > > Thanks! Have used it to show the HKLM permissions. Typing
    > > subinacl /key HKEY_LOCAL_MACHINE /display
    > > I get :
    > >
    > > ===========================
    > > +KeyReg HKEY_LOCAL_MACHINE
    > > ===========================
    > > /control=0x0
    > > /owner =builtin\administrators
    > > /primary group =system
    > > /audit ace count =0
    > > /perm. ace count =4
    > >
    > > /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
    > > CONTAINER_INHERIT_ACE-0x2
    > > Key and SubKey - Type of Access:
    > > Full Control
    > > Detailed Access Flags :
    > > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    > > KEY_CREATE_SUB_KEY-0x4
    > > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    KEY_CREATE_LINK-0x20
    > > DELETE-0x10000
    > > READ_CONTROL-0x20000 WRITE_DAC-0x40000
    WRITE_OWNER-0x80000
    > >
    > > /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
    > > CONTAINER_INHERIT_ACE-0x2
    > > Key and SubKey - Type of Access:
    > > Full Control
    > > Detailed Access Flags :
    > > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    > > KEY_CREATE_SUB_KEY-0x4
    > > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    KEY_CREATE_LINK-0x20
    > > DELETE-0x10000
    > > READ_CONTROL-0x20000 WRITE_DAC-0x40000
    WRITE_OWNER-0x80000
    > >
    > > /pace =everyone ACCESS_ALLOWED_ACE_TYPE-0x0
    > > CONTAINER_INHERIT_ACE-0x2
    > > Key and SubKey - Type of Access:
    > > Read
    > > Detailed Access Flags :
    > > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > > READ_CONTROL-0x20000
    > >
    > > /pace =restricted ACCESS_ALLOWED_ACE_TYPE-0x0
    > > CONTAINER_INHERIT_ACE-0x2
    > > Key and SubKey - Type of Access:
    > > Read
    > > Detailed Access Flags :
    > > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > > READ_CONTROL-0x20000
    > >
    > >
    > >
    > > and this compares to HKEY_USERS which I do have access to as follows:
    > >
    > >
    > > ===================
    > > +KeyReg HKEY_USERS
    > > ===================
    > > /control=0x0
    > > /owner =builtin\administrators
    > > /primary group =system
    > > /audit ace count =0
    > > /perm. ace count =4
    > >
    > > /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
    > > CONTAINER_INHERIT_ACE-0x2
    > > Key and SubKey - Type of Access:
    > > Full Control
    > > Detailed Access Flags :
    > > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    > > KEY_CREATE_SUB_KEY-0x4
    > > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    KEY_CREATE_LINK-0x20
    > > DELETE-0x10000
    > > READ_CONTROL-0x20000 WRITE_DAC-0x40000
    WRITE_OWNER-0x80000
    > >
    > > /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
    > > CONTAINER_INHERIT_ACE-0x2
    > > Key and SubKey - Type of Access:
    > > Full Control
    > > Detailed Access Flags :
    > > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    > > KEY_CREATE_SUB_KEY-0x4
    > > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    KEY_CREATE_LINK-0x20
    > > DELETE-0x10000
    > > READ_CONTROL-0x20000 WRITE_DAC-0x40000
    WRITE_OWNER-0x80000
    > >
    > > /pace =everyone ACCESS_ALLOWED_ACE_TYPE-0x0
    > > CONTAINER_INHERIT_ACE-0x2
    > > Key and SubKey - Type of Access:
    > > Read
    > > Detailed Access Flags :
    > > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > > READ_CONTROL-0x20000
    > >
    > > /pace =restricted ACCESS_ALLOWED_ACE_TYPE-0x0
    > > CONTAINER_INHERIT_ACE-0x2
    > > Key and SubKey - Type of Access:
    > > Read
    > > Detailed Access Flags :
    > > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > > READ_CONTROL-0x20000
    > >
    > > To me it looks fine; but there's definitely something wrong somewhere
    > > because it won't show HKLM permissions etc from regedit!
    > >
    > > Do you think I should try
    > >
    > > subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
    > > subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
    > >
    > > ?
    > >
    > > Ironically the reason I'm going through all this is so that I can create
    a
    > > ghost image - I'm using Veritas IDR and it's not playing ball.
    > > So I can't easily ghost the server before making changes.
    > >
    > >>Group Policy can also be used to manage registry
    > >> permissions via computer configuration/Windows settings/security
    > > settings -
    > >> registry though you need to be careful doing such and should unlink the
    > >> Group Policy when done and needs to be linked to the proper OU where
    the
    > >> computer accounts are. Improper use of file/registry permissions via
    > > Group
    > >> Policy can cause performance problems in the domain. --- Steve
    > >
    > > I don't appear to have the 'registry' item available under 'security
    > > settings'....
    > >
    > > It's not looking good is it??!
    > >
    > > Andy
    > >
    > >
    > >
    > >
    > >
    > >
    >
    >
  7. Archived from groups: microsoft.public.win2000.security (More info?)

    I was wondering about such. Hopefully using Sysclean and trying from safe
    mode will give a clue. I also understand that some "internet protection"
    packages can also block access to/protect the registry and users often do
    not realize such or forget about it when they install those type programs.
    I have not used such a program myself. Many of the antivirus programs are
    going far beyond just malware detection and removal which I guess is a good
    thing if a user understands/remembers what is being done to their
    omputer. --- Steve


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:ud47DukfFHA.2156@TK2MSFTNGP14.phx.gbl...
    > It sure is starting to sound like a malware based inhibition
    > of registry tool access.
    >
    > --
    > Roger
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:e%233zjHbfFHA.1412@TK2MSFTNGP09.phx.gbl...
    >> Hmm. From what I can tell it looks like subinacl shows that
    >> administrators
    >> have full control of HKLM. I am at a loss as why you can not edit it. I
    >> always use regedt32 for Windows 2000 so you may want to try that if you
    > have
    >> not yet. If it was my computer I would not use subinacl until I had an
    > image
    >> backup. As far as Group Policy - registry you will not see that in Local
    >> Group Policy but it should show in Domain Controller Security Policy if
    > SBS
    >> has such. If you can not get for antivirus to work try using the SysClean
    >> utility from Trend Micro [see links below]. Just download Sysclean and
    >> the
    >> pattern file [after unzipping] into a common folder to run from - no
    >> installation is involved. --- Steve
    >>
    >> http://www.trendmicro.com/download/dcs.asp
    >> http://www.trendmicro.com/download/pattern.asp
    >>
    >> "Andy Roxburgh" <spamplease@hotmail.co.uk> wrote in message
    >> news:usMh4EYfFHA.3904@TK2MSFTNGP14.phx.gbl...
    >> > Hi Steven,
    >> >
    >> >> Make sure that you are logging on as the administrator account and not
    >> > some
    >> >> renamed administrator which is sometimes used as a domain account. The
    >> >> command "net user administrator" will display group membership.
    >> >
    >> > I get (exactly as output) :
    >> > ....
    >> > Logon Script
    >> > User Profile
    >> > Home Directory
    >> > Last logon 6/30/2005 2:00pm
    >> >
    >> > Logon Hours Allowed All
    >> >
    >> > Local Group Memberships
    >> > *Account Operators
    >> > *Administrators
    >> > *Backup operators
    >> > *Server Operators
    >> > *Print Operators
    >> >
    >> > Global Group Memberships
    >> > *Exchange Services
    >> > *Domain Admins
    >> > *Domain Users
    >> > *Enterprise Admins
    >> > *Exchange Domain Serve
    >> > *Group Policy Creator
    >> > *Backoffice Internet U
    >> > *Scheme Admins
    >> >
    >> >>Also verify
    >> >> that domain admins is a member of the administrators group for the
    > domain
    >> > as
    >> >> it is possible for it to be removed.
    >> >
    >> > I checked this with the SBS Admin console and it appears to be OK.
    >> >
    >> >>You should also run a full malware scan
    >> >> on your server being sure to use the latest definitions from your
    > vendor.
    >> >
    >> > Just tried a full AV scan and it consistently locks up half way
    > through -
    >> > not a great sign!
    >> > Just ran MS Antyspyware beta and it's clean; will try a different AV
    >> > scanner
    >> > and try again.
    >> >
    >> >> Also some "protection" packages can block access to the registry I am
    >> > told.
    >> >> You may want to boot into safe mode to see if that helps.
    >> >
    >> > Will try this at the weekend - the server's in use at the moment.
    >> >
    >> >>Subinacl is a tool
    >> >> that can be used to view and change file and registry permissions at
    > the
    >> >> command line if need be. However it is very powerful and I would not
    > use
    >> > it
    >> >> unless you have a full image type backup of your server or you are
    >> >> very
    >> >> confident that you are using the right command possibly from trying it
    > on
    >> > a
    >> >> test computer first.
    >> >
    >> > Thanks! Have used it to show the HKLM permissions. Typing
    >> > subinacl /key HKEY_LOCAL_MACHINE /display
    >> > I get :
    >> >
    >> > ===========================
    >> > +KeyReg HKEY_LOCAL_MACHINE
    >> > ===========================
    >> > /control=0x0
    >> > /owner =builtin\administrators
    >> > /primary group =system
    >> > /audit ace count =0
    >> > /perm. ace count =4
    >> >
    >> > /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
    >> > CONTAINER_INHERIT_ACE-0x2
    >> > Key and SubKey - Type of Access:
    >> > Full Control
    >> > Detailed Access Flags :
    >> > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    >> > KEY_CREATE_SUB_KEY-0x4
    >> > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > KEY_CREATE_LINK-0x20
    >> > DELETE-0x10000
    >> > READ_CONTROL-0x20000 WRITE_DAC-0x40000
    > WRITE_OWNER-0x80000
    >> >
    >> > /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
    >> > CONTAINER_INHERIT_ACE-0x2
    >> > Key and SubKey - Type of Access:
    >> > Full Control
    >> > Detailed Access Flags :
    >> > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    >> > KEY_CREATE_SUB_KEY-0x4
    >> > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > KEY_CREATE_LINK-0x20
    >> > DELETE-0x10000
    >> > READ_CONTROL-0x20000 WRITE_DAC-0x40000
    > WRITE_OWNER-0x80000
    >> >
    >> > /pace =everyone ACCESS_ALLOWED_ACE_TYPE-0x0
    >> > CONTAINER_INHERIT_ACE-0x2
    >> > Key and SubKey - Type of Access:
    >> > Read
    >> > Detailed Access Flags :
    >> > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    >> > READ_CONTROL-0x20000
    >> >
    >> > /pace =restricted ACCESS_ALLOWED_ACE_TYPE-0x0
    >> > CONTAINER_INHERIT_ACE-0x2
    >> > Key and SubKey - Type of Access:
    >> > Read
    >> > Detailed Access Flags :
    >> > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    >> > READ_CONTROL-0x20000
    >> >
    >> >
    >> >
    >> > and this compares to HKEY_USERS which I do have access to as follows:
    >> >
    >> >
    >> > ===================
    >> > +KeyReg HKEY_USERS
    >> > ===================
    >> > /control=0x0
    >> > /owner =builtin\administrators
    >> > /primary group =system
    >> > /audit ace count =0
    >> > /perm. ace count =4
    >> >
    >> > /pace =system ACCESS_ALLOWED_ACE_TYPE-0x0
    >> > CONTAINER_INHERIT_ACE-0x2
    >> > Key and SubKey - Type of Access:
    >> > Full Control
    >> > Detailed Access Flags :
    >> > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    >> > KEY_CREATE_SUB_KEY-0x4
    >> > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > KEY_CREATE_LINK-0x20
    >> > DELETE-0x10000
    >> > READ_CONTROL-0x20000 WRITE_DAC-0x40000
    > WRITE_OWNER-0x80000
    >> >
    >> > /pace =builtin\administrators ACCESS_ALLOWED_ACE_TYPE-0x0
    >> > CONTAINER_INHERIT_ACE-0x2
    >> > Key and SubKey - Type of Access:
    >> > Full Control
    >> > Detailed Access Flags :
    >> > KEY_QUERY_VALUE-0x1 KEY_SET_VALUE-0x2
    >> > KEY_CREATE_SUB_KEY-0x4
    >> > KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    > KEY_CREATE_LINK-0x20
    >> > DELETE-0x10000
    >> > READ_CONTROL-0x20000 WRITE_DAC-0x40000
    > WRITE_OWNER-0x80000
    >> >
    >> > /pace =everyone ACCESS_ALLOWED_ACE_TYPE-0x0
    >> > CONTAINER_INHERIT_ACE-0x2
    >> > Key and SubKey - Type of Access:
    >> > Read
    >> > Detailed Access Flags :
    >> > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    >> > READ_CONTROL-0x20000
    >> >
    >> > /pace =restricted ACCESS_ALLOWED_ACE_TYPE-0x0
    >> > CONTAINER_INHERIT_ACE-0x2
    >> > Key and SubKey - Type of Access:
    >> > Read
    >> > Detailed Access Flags :
    >> > KEY_QUERY_VALUE-0x1 KEY_ENUMERATE_SUB_KEYS-0x8 KEY_NOTIFY-0x10
    >> > READ_CONTROL-0x20000
    >> >
    >> > To me it looks fine; but there's definitely something wrong somewhere
    >> > because it won't show HKLM permissions etc from regedit!
    >> >
    >> > Do you think I should try
    >> >
    >> > subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
    >> > subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
    >> >
    >> > ?
    >> >
    >> > Ironically the reason I'm going through all this is so that I can
    >> > create
    > a
    >> > ghost image - I'm using Veritas IDR and it's not playing ball.
    >> > So I can't easily ghost the server before making changes.
    >> >
    >> >>Group Policy can also be used to manage registry
    >> >> permissions via computer configuration/Windows settings/security
    >> > settings -
    >> >> registry though you need to be careful doing such and should unlink
    >> >> the
    >> >> Group Policy when done and needs to be linked to the proper OU where
    > the
    >> >> computer accounts are. Improper use of file/registry permissions via
    >> > Group
    >> >> Policy can cause performance problems in the domain. --- Steve
    >> >
    >> > I don't appear to have the 'registry' item available under 'security
    >> > settings'....
    >> >
    >> > It's not looking good is it??!
    >> >
    >> > Andy
    >> >
    >> >
    >> >
    >> >
    >> >
    >> >
    >>
    >>
    >
    >
  8. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:uWxgv1lfFHA.1284@TK2MSFTNGP14.phx.gbl...
    > I was wondering about such. Hopefully using Sysclean and trying from safe
    > mode will give a clue. I also understand that some "internet protection"
    > packages can also block access to/protect the registry and users often do
    > not realize such or forget about it when they install those type programs.
    > I have not used such a program myself. Many of the antivirus programs are
    > going far beyond just malware detection and removal which I guess is a
    good
    > thing if a user understands/remembers what is being done to their
    > omputer. --- Steve
    >
    >

    Ey, brave new world now, and again coming, isn't it Steve ?
    Half of the ground rules will probably have shifted by your return.
    Have a great time up north Sir, an kiss the short sweet Summer once
    for me, ok?
    --
    ra
  9. Archived from groups: microsoft.public.win2000.security (More info?)

    I guess time waits for no one as technology marches on though sometimes it
    is nice to get away from it all. I will be around for a couple of weeks
    t. -- Steve


    "Roger Abell" <mvpNOSpam@asu.edu> wrote in message
    news:uyCFyUsfFHA.1044@tk2msftngp13.phx.gbl...
    > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    > news:uWxgv1lfFHA.1284@TK2MSFTNGP14.phx.gbl...
    >> I was wondering about such. Hopefully using Sysclean and trying from safe
    >> mode will give a clue. I also understand that some "internet protection"
    >> packages can also block access to/protect the registry and users often do
    >> not realize such or forget about it when they install those type
    >> programs.
    >> I have not used such a program myself. Many of the antivirus programs are
    >> going far beyond just malware detection and removal which I guess is a
    > good
    >> thing if a user understands/remembers what is being done to their
    >> omputer. --- Steve
    >>
    >>
    >
    > Ey, brave new world now, and again coming, isn't it Steve ?
    > Half of the ground rules will probably have shifted by your return.
    > Have a great time up north Sir, an kiss the short sweet Summer once
    > for me, ok?
    > --
    > ra
    >
    >
  10. Archived from groups: microsoft.public.win2000.security (More info?)

    FYI, the problem eventually got fixed by using the reset.cmd script and
    SubInAcl.exe.


    Andy
Ask a new question

Read More

Domain Windows