Some services won't start

  • Thread starter Thread starter Brandon McCombs
  • Start date Start date
B

Brandon McCombs

Hello,

I hope this is the right place to ask for advice on my problem. It isn't
ADS specific but Win2k3 specific. At some point changes to permissions
on the filesystem and registry were done on a few servers at work and
the result is that if the DNS client, TCP/IP NetBIOS Helper, or Windows
Time services are stopped they can't be restarted due to an Access
Denied error. However if I switch any of those over to the LocalSystem
account they run fine (default for them is NetworkService for 2 of them,
one of them uses LocalService I think). I ran into this problem a few
months back and I had fixed it by putting back an ACE in the registry at
the HKLM/Machine section (like Everyone or Auth. Users) so that it would
filter down to the Services entry under CurrentControlSet (at least
that's what I thought I had done to fix it, i do know it was fixed and
the current servers are different ones than before by the way). The
problem is that on these servers Everyone is already at that level and
with Full Control and I've tried all sorts of things (adding Everyone to
various parts of the HKLM/Machine registry branch and modifying the
permissions on svchost.exe. It is limited to those 3 services because
they run as the non-LocalSystem account and it seems to be limited to
things that are spawned from svchost.exe as well. Event Viewer just
shows the access denied error. Searching google provided nothing. Does
anyone have any ideas?

thanks
 
You could use the default "setup security.inf" template and apply it against
this server. All previous permissions will be reset back to the original
build of the server itself during setup. But all previous permissions setup
will be over written. Certain installed applications might lose
functionality but this is what you want if you want to reset back to the
default install.

http://support.microsoft.com/kb/816585


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Paul said:
You could use the default "setup security.inf" template and apply it against
this server. All previous permissions will be reset back to the original
build of the server itself during setup. But all previous permissions setup
will be over written. Certain installed applications might lose
functionality but this is what you want if you want to reset back to the
default install.

http://support.microsoft.com/kb/816585
Click to expand...

No changes were actually done to the services explicitly, to any service
actually, let alone those 3. There was no need to modify them or anything else.
However changes were made to the HKLM\machine\currentcontrolset\services\dhcp
and snmp sections of the rgistry as well as a few places in the file system
(mainly in documents and settings branch). I can't apply that though as it
would negate any other changes we made that were already verified as okay and
there are many, both in registry and file system.
 
Yup, it will effect all security. You could run a report against it (As
opposed to updating it) and try to find the area you want to see what the
differences are though.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top