Can't Run Defrag - Even with 'Perform Volume Maintenance' Set

[Guest]

Hi,

A while ago we removed our users from the local admins group, leaving them
just as normal users, as they were installing non-corporate software. We
found out after that some of the users like to run Defrag on a monthly
basis, which became restricted when they were removed from the admins group.

As we have no problem with this we edited the group policy under "Computer
Configuration\Windows Settings\Security Settings\Local Policies\User Rights
Assignments" to give 'Domain Users' the 'Perform volume maintenance tasks'
right, which according to http://tinyurl.com/ks6s8 "Determines which users
and groups have the authority to run volume maintenance tasks, such as Disk
Cleanup and Disk Defragmenter".

However, after a number of reboots, and forced GP refreshes, the users still
can't perform a defrag. I have run RSoP and it shows that the policy is
applied, and the users should be able to perform volume maintenance.
Is there a bug in Defrag or the Policy, that is stopping it being applied?
Or am I adding the wrong user group? I've tried 'Authenticated Users',
specific security groups, such as Sales, Accounts etc and even individual
users, nothing works.

We're running Windows XP Pro SP2, in a Windows 2003 native domain
environment.

Any advice, greatly received

Ben

 

[Steven L Umbach]

Apparently that user right does not work as expected as I have seen the
same. What you could try is to use the command line tool defrag to run in
schedule using the AT command of Scheduled Task. For instance try the
command [ AT 22:00 /interactive defrag c: -v ] on a users computer while
logged on as an administrator and use a time that is in the future while the
user is logged on to see if it works or not. You can also use schtasks to do
Scheduled Tasks on a computer and make it part of a Group Policy "startup"
script if you have a large number of computers you want to deploy it on. For
defrag you might want to try that and use the system account to run the
task. --- Steve

http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/schtasks.mspx?mfr=true
--- schtasks
http://support.microsoft.com/default.aspx?scid=kb;en-us;313565 --- AT
command use

 

[Vincent Xu [MSFT]]

Hi,

Thanks Steven for greate information. I agree with Steven and please try
Steven's suggestion. Let me know if you still have questions.

Have a good day.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

NNTP-Posting-Date: Thu, 11 May 2006 14:13:20 -0500
From: "Steven L Umbach" <[email protected]>
Newsgroups:

microsoft.public.windows.group_policy,microsoft.public.windowsxp.security_ad
min

References: <[email protected]>
Subject: Re: Can't Run Defrag - Even with 'Perform Volume Maintenance' Set
Date: Thu, 11 May 2006 14:13:23 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-RFC2646: Format=Flowed; Response
Message-ID: <[email protected]>
Lines: 50
NNTP-Posting-Host: 71.201.87.159
X-Trace:

sv3-QfCn+jm+U228orgzLnmd4cln6m9x2TR9DKEkNocAKSTqRepXOSM1jHYO369jhInhSw9X7F5v
KhkYyO/!XvmC9H+ADebaeflRTiVwK2zgojUy0DYUOs9tyQIzILrUsJtgP8tWuQWddXzBjSQP9SUX
n4lN

X-Complaints-To: (e-mail address removed)
X-DMCA-Complaints-To: (e-mail address removed)
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.32
Path:

TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTFEEDS01.phx.gbl!newsfeed.c
w.net!cw.net!news-FFM2.ecrc.de!newscon06.news.prodigy.com!prodigy.net!border
1.nntp.dca.giganews.com!nntp.giganews.com!local01.nntp.dca.giganews.com!nntp
.comcast.com!news.comcast.com.POSTED!not-for-mail

Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windowsxp.security_admin:184258
microsoft.public.windows.group_policy:20605

X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Apparently that user right does not work as expected as I have seen the
same. What you could try is to use the command line tool defrag to run in
schedule using the AT command of Scheduled Task. For instance try the
command [ AT 22:00 /interactive defrag c: -v ] on a users computer while
logged on as an administrator and use a time that is in the future while the
user is logged on to see if it works or not. You can also use schtasks to do
Scheduled Tasks on a computer and make it part of a Group Policy "startup"
script if you have a large number of computers you want to deploy it on. For
defrag you might want to try that and use the system account to run the
task. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/e n-us/schtasks.mspx?mfr=true
--- schtasks
http://support.microsoft.com/default.aspx?scid=kb;en-us;313565 --- AT
command use

Hi,

A while ago we removed our users from the local admins group, leaving them
just as normal users, as they were installing non-corporate software. We
found out after that some of the users like to run Defrag on a monthly
basis, which became restricted when they were removed from the admins
group.

As we have no problem with this we edited the group policy under "Computer
Configuration\Windows Settings\Security Settings\Local Policies\User
Rights Assignments" to give 'Domain Users' the 'Perform volume maintenance
tasks' right, which according to http://tinyurl.com/ks6s8 "Determines
which users and groups have the authority to run volume maintenance tasks,
such as Disk Cleanup and Disk Defragmenter".

However, after a number of reboots, and forced GP refreshes, the users
still can't perform a defrag. I have run RSoP and it shows that the policy
is applied, and the users should be able to perform volume maintenance.
Is there a bug in Defrag or the Policy, that is stopping it being applied?
Or am I adding the wrong user group? I've tried 'Authenticated Users',
specific security groups, such as Sales, Accounts etc and even individual
users, nothing works.

We're running Windows XP Pro SP2, in a Windows 2003 native domain
environment.

Any advice, greatly received

Ben

 

[Guest]

Hi Steve,

Thanks for the information. I will give it a try and let you know.

Bit of a pain that this doesn't work as expected, I wonder if MS will fix it
in SP3!?

Interestingly, another user, who is not local admin, WAS able to run a
defrag over the weekend, so it seems this policy setting works sometimes,
but not all the time!

Ben

Apparently that user right does not work as expected as I have seen the
same. What you could try is to use the command line tool defrag to run in
schedule using the AT command of Scheduled Task. For instance try the
command [ AT 22:00 /interactive defrag c: -v ] on a users computer while
logged on as an administrator and use a time that is in the future while
the user is logged on to see if it works or not. You can also use schtasks
to do Scheduled Tasks on a computer and make it part of a Group Policy
"startup" script if you have a large number of computers you want to
deploy it on. For defrag you might want to try that and use the system
account to run the task. --- Steve

http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/schtasks.mspx?mfr=true
--- schtasks
http://support.microsoft.com/default.aspx?scid=kb;en-us;313565 --- AT
command use

Hi,

A while ago we removed our users from the local admins group, leaving
them just as normal users, as they were installing non-corporate
software. We found out after that some of the users like to run Defrag on
a monthly basis, which became restricted when they were removed from the
admins group.

As we have no problem with this we edited the group policy under
"Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments" to give 'Domain Users' the 'Perform
volume maintenance tasks' right, which according to
http://tinyurl.com/ks6s8 "Determines which users and groups have the
authority to run volume maintenance tasks, such as Disk Cleanup and Disk
Defragmenter".

However, after a number of reboots, and forced GP refreshes, the users
still can't perform a defrag. I have run RSoP and it shows that the
policy is applied, and the users should be able to perform volume
maintenance.
Is there a bug in Defrag or the Policy, that is stopping it being
applied? Or am I adding the wrong user group? I've tried 'Authenticated
Users', specific security groups, such as Sales, Accounts etc and even
individual users, nothing works.

We're running Windows XP Pro SP2, in a Windows 2003 native domain
environment.

Any advice, greatly received

Ben

 

[Steven L Umbach]

Are you sure that the user is not a local administrator on that computer??
If not see if any other regular users on that computer can do the same. You
can have any user logon and then use the support tool whoami to see the
users group membership and user rights for that logon session. Below is an
example of such output and note it shows the user right for (O)
SeManageVolumePrivilege = Perform volume maintenance tasks and group
membership for [Group 3] = "BUILTIN\Administrators" S-1-5-32-544 in this
example. --- Steve


D:\Documents and Settings\Steve>whoami /all
[User] = "STEVE-XP\Steve" S-1-5-21-1123561945-152049171-1343024091-1003

[Group 1] = "STEVE-XP\None" S-1-5-21-1123561945-152049171-1343024091-513
[Group 2] = "Everyone" S-1-1-0
[Group 3] = "BUILTIN\Administrators" S-1-5-32-544
[Group 4] = "BUILTIN\Network Configuration Operators" S-1-5-32-556
[Group 5] = "BUILTIN\Users" S-1-5-32-545
[Group 6] = "NT AUTHORITY\INTERACTIVE" S-1-5-4
[Group 7] = "NT AUTHORITY\Authenticated Users" S-1-5-11
[Group 8] = "LOCAL" S-1-2-0


(O) SeLockMemoryPrivilege = Lock pages in memory
(X) SeChangeNotifyPrivilege = Bypass traverse checking
(O) SeSecurityPrivilege = Manage auditing and security log
(O) SeBackupPrivilege = Back up files and directories
(O) SeRestorePrivilege = Restore files and directories
(O) SeSystemtimePrivilege = Change the system time
(O) SeShutdownPrivilege = Shut down the system
(O) SeRemoteShutdownPrivilege = Force shutdown from a remote system
(O) SeTakeOwnershipPrivilege = Take ownership of files or other
objects
(O) SeDebugPrivilege = Debug programs
(O) SeSystemEnvironmentPrivilege = Modify firmware environment values
(O) SeSystemProfilePrivilege = Profile system performance
(O) SeProfileSingleProcessPrivilege = Profile single process
(O) SeIncreaseBasePriorityPrivilege = Increase scheduling priority
(X) SeLoadDriverPrivilege = Load and unload device drivers
(O) SeCreatePagefilePrivilege = Create a pagefile
(O) SeIncreaseQuotaPrivilege = Adjust memory quotas for a process
(X) SeUndockPrivilege = Remove computer from docking station
(O) SeManageVolumePrivilege = Perform volume maintenance tasks
(X) SeCreateGlobalPrivilege = Create global objects
(X) SeImpersonatePrivilege = Impersonate a client after
authentication

Hi Steve,

Thanks for the information. I will give it a try and let you know.

Bit of a pain that this doesn't work as expected, I wonder if MS will fix
it in SP3!?

Interestingly, another user, who is not local admin, WAS able to run a
defrag over the weekend, so it seems this policy setting works sometimes,
but not all the time!

Ben

Apparently that user right does not work as expected as I have seen the
same. What you could try is to use the command line tool defrag to run in
schedule using the AT command of Scheduled Task. For instance try the
command [ AT 22:00 /interactive defrag c: -v ] on a users computer while
logged on as an administrator and use a time that is in the future while
the user is logged on to see if it works or not. You can also use
schtasks to do Scheduled Tasks on a computer and make it part of a Group
Policy "startup" script if you have a large number of computers you want
to deploy it on. For defrag you might want to try that and use the system
account to run the task. --- Steve

http://www.microsoft.com/resources/.../xp/all/proddocs/en-us/schtasks.mspx?mfr=true
--- schtasks
http://support.microsoft.com/default.aspx?scid=kb;en-us;313565 --- AT
command use

Hi,

A while ago we removed our users from the local admins group, leaving
them just as normal users, as they were installing non-corporate
software. We found out after that some of the users like to run Defrag
on a monthly basis, which became restricted when they were removed from
the admins group.

As we have no problem with this we edited the group policy under
"Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignments" to give 'Domain Users' the 'Perform
volume maintenance tasks' right, which according to
http://tinyurl.com/ks6s8 "Determines which users and groups have the
authority to run volume maintenance tasks, such as Disk Cleanup and Disk
Defragmenter".

However, after a number of reboots, and forced GP refreshes, the users
still can't perform a defrag. I have run RSoP and it shows that the
policy is applied, and the users should be able to perform volume
maintenance.
Is there a bug in Defrag or the Policy, that is stopping it being
applied? Or am I adding the wrong user group? I've tried 'Authenticated
Users', specific security groups, such as Sales, Accounts etc and even
individual users, nothing works.

We're running Windows XP Pro SP2, in a Windows 2003 native domain
environment.

Any advice, greatly received

Ben

 

[Vincent Xu [MSFT]]

Hi Ben,

Just wondering how is everything going.

Regarding SP3, so far I have no idea. Microsoft will publish the news if
SP2 will be released.

Have a good day.

Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
PLEASE NOTE: The partner managed newsgroups are provided to assist with
break/fix issues and simple how to questions.

We also love to hear your product feedback!
Let us know what you think by posting
from the web interface: Partner Feedback
from your newsreader: microsoft.private.directaccess.partnerfeedback.
We look forward to hearing from you!
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------

Reply-To: <[email protected]>
From: <[email protected]>
References: <[email protected]>

Subject: Re: Can't Run Defrag - Even with 'Perform Volume Maintenance' Set
Date: Mon, 15 May 2006 14:34:34 +0100
Lines: 69
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-RFC2646: Format=Flowed; Response
Message-ID: <[email protected]>
Newsgroups:

microsoft.public.windows.group_policy,microsoft.public.windowsxp.security_ad
min

NNTP-Posting-Host: host217-37-28-250.in-addr.btopenworld.com 217.37.28.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl

microsoft.public.windowsxp.security_admin:184405
microsoft.public.windows.group_policy:20645

X-Tomcat-NG: microsoft.public.windowsxp.security_admin

Hi Steve,

Thanks for the information. I will give it a try and let you know.

Bit of a pain that this doesn't work as expected, I wonder if MS will fix it
in SP3!?

Interestingly, another user, who is not local admin, WAS able to run a
defrag over the weekend, so it seems this policy setting works sometimes,
but not all the time!

Ben

Apparently that user right does not work as expected as I have seen the
same. What you could try is to use the command line tool defrag to run in
schedule using the AT command of Scheduled Task. For instance try the
command [ AT 22:00 /interactive defrag c: -v ] on a users computer while
logged on as an administrator and use a time that is in the future while
the user is logged on to see if it works or not. You can also use schtasks
to do Scheduled Tasks on a computer and make it part of a Group Policy
"startup" script if you have a large number of computers you want to
deploy it on. For defrag you might want to try that and use the system
account to run the task. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/schtasks.mspx?mfr=true