remove security for everyone

[Dmitry Korolyov [MVP]]

Grant Full Control to SYSTEM and builtin Administrators group. Take ownership of the directory if needed.

You will need to reapply initial file system security settings. This can be done by reapplying setup security.inf template; file system section should be enough:


secedit /configure /cfg "setup security.inf" /db setup.sdb /areas filestore

--
Dmitry Korolyov [[email protected]]
MVP: Windows Server - Active Directory


ok so now i've done it - i was playing with security and
set the c:\winnt directory to have no access by everyone -
although i thought that i gave full rights to
administrators i can no longer access winnt which means i
can't run any admin utils etc - oops - i'm a little afraid
of rebooting because i dont think i can login again.
any help would be appreciated

 

[Karl]

ok so now i've done it - i was playing with security and
set the c:\winnt directory to have no access by everyone -
although i thought that i gave full rights to
administrators i can no longer access winnt which means i
can't run any admin utils etc - oops - i'm a little afraid
of rebooting because i dont think i can login again.
any help would be appreciated

 

[Oli Restorick [MVP]]

As you've discovered, "deny" means "deny". It overrides anything else.

You should be able to take ownership from the security tab and then reset
the permissions.

Oli

 

[Karl]

unfortunatly after denying access to winnt folder i no
longer have the security tab available when looking at the
folder or file properties - also cannot run user manager
for active directory
kb

 

[Robert Moir]

unfortunatly after denying access to winnt folder i no
longer have the security tab available when looking at the
folder or file properties - also cannot run user manager
for active directory
kb

Try taking ownership at a higher level (root of the drive in this case).
It'll take a while but ought to get there.

 

[Karl]

Even at the higher levels i can't change any permissions
which i think is because all of the utils are in the winnt
directory - i tried to make a new share on drive c: then
change permissions to no avail (the button is there but
will not work)
yikes
kb

 

[Oli Restorick [MVP]]

Does the secedit tool that Dmitry suggested work? If not, see if you can
get the executable and file from another Windows 2000 system.

Depending on the value of the system, now is the time to get all the data
off of it. If you end up rebooting, you could always do an repair
installation (a.k.a. over-the-top installation) to restore the system.

As I said, it depends on the system's value. If it's a domain controller,
for example, that might not be a great idea. If it's your only domain
controller then you have a serious problem.

Regards

Oli

 

[Karl]

well ... actually i haven't been able to run this yet only
because i'm connecting to the system remotely and cannot
get into the office today - i only have access to xp and
98 from here and don't have the cd copied to the server -
there are win2k pro's at the office but are shut down for
the weekend.
and yes it is a pdc and the only server configured -
luckily it is not quite in production yet although
everything was installed including metaframe and basically
ready to go live tuesday - until someone started clowning
around with the security
i will try Dmitry's suggestion soon as i can - probably
tomorrow morning
thanks for your help
kb

 

[Oli Restorick [MVP]]

Unless you can be sure that you've got everything back as it should be, it
might be worth rebuilding the machine anyway.

Only you can make that decision, however.

It seems like an unusual configuration you have there -- one DC with Citrix
running on it. You will have some security concerns with Citrix on a DC.
You also know that you should have more than one DC, don't you?

Cheers

Oli

 

[Steven Umbach]

You might want to try downloading the xcalcs utility and using it to revoke
permissions for the everyone group for the \winnt folder and subfolders such as
" xcalcs c:\winnt /r everyone /e /t ". You can run it from the folder it
installs to which will not be in the \winnt folder. Then you might be able to
use secedit to restore ntfs security to default settings. It is best to leave
permissions alone on the \winnt folder. Regular users already have restricted
permissions there. It is OK to change permissions on specific .exe command files
[such as the IIS Lockdown tool does] that you may want to restrict to regular
users such as ping, etc and it is generally best to remove permissions instead
of using deny. No allow permissions for a user/group is an implicit deny. Be
sure to have a backup plan which may include Ghost Images. --- Steve

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/xcacls-o.asp
-- Download link.