SP4, SU Service, NT Domain, and Local Security Policy

[zzotler]

I have a NT 4 Domain with all win2k clients. I upgraded all clients to SP4
and then SU service quit. I now recieve this error >
GetSidFromNames error! (rc=6)
The handle is invalid.
I read the MSDN article 821546. What I need to do is to add to the local
security policy the useraccount to "Impersonate a client after
authentication" to all of the win2k clients.
How can i do this without using AD and group policies?

thanks

 

[Matt Scarborough]

I have a NT 4 Domain with all win2k clients. I upgraded all clients to SP4
and then SU service quit. I now recieve this error >
GetSidFromNames error! (rc=6)
The handle is invalid.
I read the MSDN article 821546. What I need to do is to add to the local
security policy the useraccount to "Impersonate a client after
authentication" to all of the win2k clients.
How can i do this without using AD and group policies?

Create a template such as Users_Impersonate_On.INF
Place the INF file on a network share. e.g.,
\\<SomeServer>\path\Impersonate_On.INF

----- Impersonate_On.INF -----

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=Adds the Impersonate a client after authentication privilege to the group Users
[Privilege Rights]
; S-1-5-32-545 is BUILTIN\Users
; Following users have SeImpersonatePrivilege by default
; S-1-5-6 is NT AUTHORITY\SERVICE
; S-1-5-32-544 is BUILTIN\Administrators
SeImpersonatePrivilege = *S-1-5-32-545,*S-1-5-6,*S-1-5-32-544

----- Impersonate_On.INF -----

See secedit /? for more options.
Creating an SDB file from the INF and using that is possible.
Script something less clunky but like this on the Win2k clients

copy %WINDIR%\security\database\secedit.sdb %WINDIR%\security\database\secedit2.sdb
secedit /configure /db %WINDIR%\security\database\secedit2.sdb /cfg \\<SomeServer>\path\Impersonate_On.INF
secedit /refreshpolicy user_policy
del /q %WINDIR%\security\database\secedit2.sdb

Matt Scarborough 2003-12-04

 

[zzotler]

I created a .bat, run it with admin privledges and now the su works!
thanks for the help Matt

----- begin su_fix.bat -----
REM This will add the domain users to impersonate a client to fix the su
issue with sp4 on win2k
C:
CD TEMP

REM Creates a file \temp\su_fix.INF and then is deleted after this .bat file
is ran
ECHO [Profile Description] >>su_fix.INF
ECHO Adds the Impersonate a client after authentication privilege to the
group Administrators >>su_fix.INF
ECHO. >>su_fix.INF
ECHO [Unicode] >>su_fix.INF
ECHO Unicode=yes >>su_fix.INF
ECHO. >>su_fix.INF
ECHO [Version] >>su_fix.INF
ECHO signature="$CHICAGO$" >>su_fix.INF
ECHO revision=1 >>su_fix.INF
ECHO. >>su_fix.INF
ECHO [Privilege Rights] >>su_fix.INF
ECHO SeImpersonatePrivilege = *S-1-5-6, *S-1-5-32-544,
*S-1-5-21-1778651625-1317303742-1844936127-513 >>su_fix.INF

copy %WINDIR%\security\database\secedit.sdb %WINDIR%
\security\database\secedit2.sdb secedit /configure /db
%WINDIR%\security\database\secedit2.sdb /cfg C:\TEMP\su_fix.INF

secedit /refreshpolicy user_policy
secedit /refreshpolicy machine_policy

del /q %WINDIR%\security\database\secedit2.sdb
del /q C:\temp\su_fix.INF

----- end su_fix.bat -----
:: I used getsid.exe from the resource kit
:: The SID for account domain\domain users is
S-1-5-21-1778651625-1317303742-1844936127-513

--------------------------------------------------------------

I have a NT 4 Domain with all win2k clients. I upgraded all clients to SP4
and then SU service quit. I now recieve this error >
GetSidFromNames error! (rc=6)
The handle is invalid.
I read the MSDN article 821546. What I need to do is to add to the local
security policy the useraccount to "Impersonate a client after
authentication" to all of the win2k clients.
How can i do this without using AD and group policies?

Create a template such as Users_Impersonate_On.INF
Place the INF file on a network share. e.g.,
\\<SomeServer>\path\Impersonate_On.INF

----- Impersonate_On.INF -----

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Profile Description]
Description=Adds the Impersonate a client after authentication privilege to the group Users
[Privilege Rights]
; S-1-5-32-545 is BUILTIN\Users
; Following users have SeImpersonatePrivilege by default
; S-1-5-6 is NT AUTHORITY\SERVICE
; S-1-5-32-544 is BUILTIN\Administrators
SeImpersonatePrivilege = *S-1-5-32-545,*S-1-5-6,*S-1-5-32-544

----- Impersonate_On.INF -----

See secedit /? for more options.
Creating an SDB file from the INF and using that is possible.
Script something less clunky but like this on the Win2k clients

copy %WINDIR%\security\database\secedit.sdb %WINDIR%\security\database\secedit2.sdb
secedit /configure /db %WINDIR%\security\database\secedit2.sdb /cfg