DACL code scripting help needed

[Guest]

We have a number of computers that have the KB914798 security patch applied.
We need to restore the default permissions for the Network Configuration
Operators group so they can change TCP/IP configurations.

Can anyone help me code the DACL to add the default permissions back to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscache and tcpip
registry keys for the Network Configuration Operators group? This is for
Windows XP SP1 and SP2 PCs.

 

[Steven L Umbach]

The permissions you need are probably in the setup security.inf security
template on the computer that is stored in the \windows\security\templates
directory which can be viewed as is with notepad or via the mmc snapin for
security templates looking under registry. If you find what you need you
could also build a new security template with the permissions you need
copying the needed keys from the setup security.inf template and then import
that security template into the affected computers or applying it via Group
Policy. I find it much easier to use the mmc snapin for security templates
to do this than directly editing the .inf file itself. You can also use
secedit as described in the link below to restore default registry
permissions by appending the /areas regkeys. I quickly put together such a
template from those two entries from setup security.inf and pasted what it
shows from setup security.inf on my computer. You can paste that into
notpad, name/save it with .inf, open it with the mmc snapin for security
templates and view the permissions. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Keys]
"machine\system\currentcontrolset\services\dnscache",0,"D(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\services\tcpip",0,"D(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"

 

[Steven L Umbach]

The permissions you need are probably in the setup security.inf security
template on the computer that is stored in the \windows\security\templates
directory which can be viewed as is with notepad or via the mmc snapin for
security templates looking under registry. If you find what you need you
could also build a new security template with the permissions you need
copying the needed keys from the setup security.inf template and then
import that security template into the affected computers or applying it
via Group Policy. I find it much easier to use the mmc snapin for security
templates to do this than directly editing the .inf file itself. You can
also use secedit as described in the link below to restore default
registry permissions by appending the /areas regkeys. I quickly put
together such a template from those two entries from setup security.inf
and pasted what it shows from setup security.inf on my computer. You can
paste that into notpad, name/save it with .inf, open it with the mmc
snapin for security templates and view the permissions. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Keys]
"machine\system\currentcontrolset\services\dnscache",0,"D(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\services\tcpip",0,"D(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"

We have a number of computers that have the KB914798 security patch
applied.
We need to restore the default permissions for the Network Configuration
Operators group so they can change TCP/IP configurations.

Can anyone help me code the DACL to add the default permissions back to
the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscache and tcpip
registry keys for the Network Configuration Operators group? This is for
Windows XP SP1 and SP2 PCs.

 

[Steven L Umbach]

I should have mentioned that network configuration operators is S-1-5-32-556
.. --- Steve

The permissions you need are probably in the setup security.inf security
template on the computer that is stored in the \windows\security\templates
directory which can be viewed as is with notepad or via the mmc snapin for
security templates looking under registry. If you find what you need you
could also build a new security template with the permissions you need
copying the needed keys from the setup security.inf template and then
import that security template into the affected computers or applying it
via Group Policy. I find it much easier to use the mmc snapin for security
templates to do this than directly editing the .inf file itself. You can
also use secedit as described in the link below to restore default
registry permissions by appending the /areas regkeys. I quickly put
together such a template from those two entries from setup security.inf
and pasted what it shows from setup security.inf on my computer. You can
paste that into notpad, name/save it with .inf, open it with the mmc
snapin for security templates and view the permissions. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Keys]
"machine\system\currentcontrolset\services\dnscache",0,"D(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\services\tcpip",0,"D(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"

We have a number of computers that have the KB914798 security patch
applied.
We need to restore the default permissions for the Network Configuration
Operators group so they can change TCP/IP configurations.

Can anyone help me code the DACL to add the default permissions back to
the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscache and tcpip
registry keys for the Network Configuration Operators group? This is for
Windows XP SP1 and SP2 PCs.

 

[Guest]

I tried that and imported a security template that has the correct
permissions. I verified registry permissions and DACLs. I also tried
configuring the computer with the default setup security template. A member
of the Network Configuration Operators Group STILL cannot change the IP
address. This is a machine that has had the KB914798 patch applied.

I should have mentioned that network configuration operators is S-1-5-32-556
.. --- Steve

The permissions you need are probably in the setup security.inf security
template on the computer that is stored in the \windows\security\templates
directory which can be viewed as is with notepad or via the mmc snapin for
security templates looking under registry. If you find what you need you
could also build a new security template with the permissions you need
copying the needed keys from the setup security.inf template and then
import that security template into the affected computers or applying it
via Group Policy. I find it much easier to use the mmc snapin for security
templates to do this than directly editing the .inf file itself. You can
also use secedit as described in the link below to restore default
registry permissions by appending the /areas regkeys. I quickly put
together such a template from those two entries from setup security.inf
and pasted what it shows from setup security.inf on my computer. You can
paste that into notpad, name/save it with .inf, open it with the mmc
snapin for security templates and view the permissions. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Keys]
"machine\system\currentcontrolset\services\dnscache",0,"D(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"
"machine\system\currentcontrolset\services\tcpip",0,"D(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;S-1-5-20)(A;CI;GA;;;S-1-5-19)(A;CI;CCDCLCSWRPSDRC;;;S-1-5-32-556)"

We have a number of computers that have the KB914798 security patch
applied.
We need to restore the default permissions for the Network Configuration
Operators group so they can change TCP/IP configurations.

Can anyone help me code the DACL to add the default permissions back to
the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscache and tcpip
registry keys for the Network Configuration Operators group? This is for
Windows XP SP1 and SP2 PCs.