Some of my windows registry permissions have been changed.It denies access to services like SQL Server. What is the issue here and how can it be resolved? Moreover I am able to login only in safe mode.
You can change permissions using regedit.exe. Try clicking on a registry key and choosing the "Permissions" option. On my computer the permissions are set in the following way:
the System group and the Administrators group - full control
the Restricted group - read
the Everyone group - read (on branches like HKEY_LOCAL_MACHINE)
Related
I am having a weird issue that didn't used to happen. Perhaps windows update causes this?
We have an E drive partition created and I created a directory:
Test1
I shared it with administrators and everyone. Administrators have full access while everyone group only has read permissions but this folder only. I added a permission to allow full control to this folder and subfolder's and files to it and assigned it to domain admins. My jadmin#domain.local account is added to this group
I checked the security on the folder and the same permissions exist.
I created a directory within Test1 and called it New Folder, disabled inheritance and made sure explicit permissions for domain admins full control to all dir and subdir and files are added.
When i attempt to open this folder, i get a message:
"You don't currently have permission to access this folder. Click Continue to permanently get access to this folder".
When I Push Continue then an explicit permission for my user gets added to that folder. I am trying to prevent that from happening. If domain admins(my user added to this group) is added with full control. Why does this warning pop up and require my user to explicitly be added. How to prevent this from occurring?
I was expecting to be able to access the new folder directory without any warning and an explicit permission to be added
Check if you can access it with an elevated CMD.
Folders wich are protected for builtin administrators groups are supposed to be security relevant. These users should also not be used to administrate on server systems.
Increase security by creating a seperate admin group and dedicated permissions.
Alternatives are using a progam that can be started elevated, Like CMD, PowerShell, totalCommander, winscp (local part) and many more.
You could also administrate remote. That should remove the problem.
Another way would be to add "Interactive Logon" group to all of your permissions where you need to access.
Disabling UAC or removing administrators from the security settings is the least that I would suggest.
All,
I have no idea how Windows service works, just curious when we register a windows service(such as auto run a server after reboot), if it requires a user profile to load info(such as pulling data from somewhere else), what user profile does it load?
Thanks,
You can select what user run each service registered and the system comes with users assigned per service. The most used by the system is SYSTEM.
To check this you have to:
Go to services.
Right click on the desired service and properties.
Go to the Log on tab and check.
If the Local System account is selected the username is SYSTEM which has special permissions on almost all folder and Windows sections including users' profiles data.
By the other hand if you would like to do something special with an specific account you can tell the system the service will start with the account specified. Just make sure to update the password information every time the user change it.
Regards,
Luis
How can i add user into permission list using Windows PowerShell command
Information about dcom permission could be accessed via winregistry, HKLM\Software\Microsoft\Ole, DefaultAccessPermission / DefaultLaunchPermission, or via wmi.
Either way you need to get sid of your user, create object in SDDL format, and put it to registry. There is already few examples of powershell implementation on internet, for example this one.
But for real life I can suggest to do it not from powershell, but from GPO (Computer configuration - windows settings - security settings - local policies - security options - DCOM: Machine Launch/Access Restrictions in Security Descriptor Definition Language (SDDL) syntax ). Its easy, GUI-provided, could be used in SCCM compliance checks, etc etc.
I am trying to create a user log off script by adding a registry entry under HKCU\Software\Microsoft\Windows\CyrrentVersion\GroupPolicy\Scripts\Logoff.
After I install the msi I built, the registry keys are set properly. Once the installation ends, the system is rebooting and I see that the keys are deleted.
What could be going wrong ?
That key is owned by group policy. Anything you change there will be changed back by group policy on the next refresh. You shouldn't store anything in the Group Policies manually or via your program to the registry. If you add the key VIA group policy, it will stay.
First of all, I realize this is a messy situation, but it's not of my design, and I'm just trying to help, and for that I need your help.
App A is getting installed automatically via SMS installer under the Administrator account, not the PC owner's User account. App A has a registry key defined in HKEY_LOCAL_MACHINE hive.
After App A is installed, we want to edit the above mentioned registry key, to assign the User's C:\Users\USER_ID\Documents\ folder (I'm told we don't don't know who the user is and don't have access to USER_ID during step 1).
I know all about UAC, Application Manifest, and requestedExecutionLevel. However, I'm told we can't expect that all users will be in the Administrators group on their machine.
Solution must be backwards compatible with Windows XP as well.
I'm searching for options to get `C:\Users\USER_ID\Documents\' into the 'HKEY_LOCAL_MACHINE' hive under the above listed conditions.
I found this thread that might be related to a similar situation, but I don't fully understand it yet (so I will give credit to anyone that explain it better):
Find out (read) logged in user in a cmd started as a different user
I also read something that rules out ClickOnce:
Clickonce + HKEY_LOCAL_MACHINE
After App A is installed with admin privileges you are trying to run an additional script as the local user who does not have admin privileges . In order for your secondary script to write to the local machine key it will have to be run with administrative privileges ..period. That said, you have basically two choices:
1) Use the RunAs command to run the script with elevated privileges and have the user type in a admin username and password to run the script with elevated privileges.
2) This is the better way imo - Since SMS is being leveraged as the delivery tool, use its capability to detect and use local client configuration settings to write the key at the time of installation.
So basically the SMS package would have to be setup to run only when the local user logs on one time so that SMS can grab the current user and write it to a file somewhere.. after that is completed SMS can run a separate package as the admin (user will get prompted) to do the software install looking for the file containing the user and then consequently updating the local machine key to the correct user my document path.
Enjoy!