RIS Build - Access is denied
in [Windows Servers]
|
Prev: Volume Shadow Copy Problems
Next: Can't load profile
From: dinny on 6 Jan 2006 06:11 Hi Ken, The first link was very interesting (I was not particularly sure what the "fixed" problem referred to was - as I am on SP1 and the behviour seems unchanged?). However The admincount was set to one on my ris build account. I didn't really understand why it would be able to create and overwrite new comp accs but not ones created when it was in domain admins - but I did some further investigations: I ran acldiag on the acc (and ldifde). This confirmed that the admincount attribute was set to one and the acc was not inheriting rights from OUs or groups. I had set the delegation to add and remove computer objects at the group level - so it fitted so far. I then customised the sample script (in the kb article) and reset the admin count and inheritance flag for the ris build account only. I confirmed it had worked (via acldiag). I then resyncced the domain. I tried several times and even waited a day for any replications to take place, rebooted the ris server (just in case). Unfortunately no change - I still get access denied when I try to rebuild a computer object previously created when the build acc was a member of domain admins (with the 1042 error). (it can still build new objects or rebuild objects that it created while not a member of domain admins - as it always has been able to) I ran acldiags against a computer object created when the ris build acc was in domain admins and on one when the ris build acc was not in domain admins. There are differences: The owner of the first object is domain admins as opposed to risserver. risserver has explicit rights on the comp object created when the ris build acc was not in domain admins. However I still do not see why the ris build acc should not be able to rebuild the first object? It is as if there is some undocumented protection given to objects created by a domain admin acc? I'll email you with the acldiag results - see if you can see anything that I am missing... (By the way I am away from 12th Jan to 1st Feb - so will be unable to respond during this period) Thanks Dinny
From: Ken Zhao [MSFT] on 9 Jan 2006 03:57
Hi Dinny, Thanks for your reply! I am performing the further research based on your information. I will reply to let you know if I can find any clues. Thanks & Regards, Ken Zhao Microsoft Online Partner Support Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | Thread-Topic: RIS Build - Access is denied | thread-index: AcYSseF+zipIFkH9QVmlWq8bjhPfjA== | X-WBNR-Posting-Host: 194.60.125.248 | From: "=?Utf-8?B?ZGlubnk=?=" <dinny(a)nospam.postalias> | References: <87095BFC-FDE5-4063-9B1F-D4FE5DED4F7D(a)microsoft.com> <2XY9ovUAGHA.832(a)TK2MSFTNGXA02.phx.gbl> <74868CAA-6DB1-4F7E-8AC9-9FC2DF949195(a)microsoft.com> <ROeYk1HBGHA.3764(a)TK2MSFTNGXA02.phx.gbl> <D8D08BED-3447-4F28-AD30-E0978AD19C29(a)microsoft.com> <5I9HmjgBGHA.2560(a)TK2MSFTNGXA02.phx.gbl> <DA72608D-10DF-4FE3-9FE6-57AD8FF8199E(a)microsoft.com> <MFpo8ZgCGHA.3764(a)TK2MSFTNGXA02.phx.gbl> <05FFD9D9-B2B0-4A59-85D1-FF5BA74E28F0(a)microsoft.com> <SzHOsbQEGHA.1888(a)TK2MSFTNGXA02.phx.gbl> | Subject: RE: RIS Build - Access is denied | Date: Fri, 6 Jan 2006 03:11:02 -0800 | Lines: 44 | Message-ID: <1DE0A68C-1F70-47A2-991D-80EA5F769CF4(a)microsoft.com> | MIME-Version: 1.0 | Content-Type: text/plain; | charset="Utf-8" | Content-Transfer-Encoding: 7bit | X-Newsreader: Microsoft CDO for Windows 2000 | Content-Class: urn:content-classes:message | Importance: normal | Priority: normal | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 | Newsgroups: microsoft.public.windows.server.general | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250 | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGXA03.phx.gbl | Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.general:85346 | X-Tomcat-NG: microsoft.public.windows.server.general | | Hi Ken, | | The first link was very interesting (I was not particularly sure what the | "fixed" problem referred to was - as I am on SP1 and the behviour seems | unchanged?). However The admincount was set to one on my ris build account. I | didn't really understand why it would be able to create and overwrite new | comp accs but not ones created when it was in domain admins - but I did some | further investigations: | | I ran acldiag on the acc (and ldifde). This confirmed that the admincount | attribute was set to one and the acc was not inheriting rights from OUs or | groups. I had set the delegation to add and remove computer objects at the | group level - so it fitted so far. | | I then customised the sample script (in the kb article) and reset the admin | count and inheritance flag for the ris build account only. I confirmed it had | worked (via acldiag). I then resyncced the domain. I tried several times and | even waited a day for any replications to take place, rebooted the ris server | (just in case). Unfortunately no change - I still get access denied when I | try to rebuild a computer object previously created when the build acc was a | member of domain admins (with the 1042 error). (it can still build new | objects or rebuild objects that it created while not a member of domain | admins - as it always has been able to) | | I ran acldiags against a computer object created when the ris build acc was | in domain admins and on one when the ris build acc was not in domain admins. | | There are differences: | The owner of the first object is domain admins as opposed to risserver. | risserver has explicit rights on the comp object created when the ris build | acc was not in domain admins. | However I still do not see why the ris build acc should not be able to | rebuild the first object? It is as if there is some undocumented protection | given to objects created by a domain admin acc? | | I'll email you with the acldiag results - see if you can see anything that I | am missing... | | (By the way I am away from 12th Jan to 1st Feb - so will be unable to | respond during this period) | | Thanks | | Dinny | |