Microsoft KB Archive/312031

= Using the Symantec W32.Nimda.A@mm Virus Removal Tool Affects the Sysvol and Netlogon Share Permissions =

Article ID: 312031

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server

-



This article was previously published under Q312031



SYMPTOMS
When you use the Symantec W32.Nimda.A@mm virus removal tool on a domain controller, the share permissions for shares such as Sysvol and Netlogon may be changed from the default share permissions.

The application log may display the following error message about Event ID 1000:

Event Type:

Error Event Source:

Userenv Event Category: None

Event ID: 1000

Date:

Time:

User: NT Authority\System

Computer:

Description: Windows cannot access the registry information at \\ \Sysvol\ \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\ \Registry.pol with (5). Access denied.



CAUSE
This behavior can occur because the virus removal tool restricts access for viewable shares. The Symantec Web site for this virus states that the tool performs the following actions on all viewable shares:
 * Returns shared drives and folders to default security settings.
 * Makes administrative shares accessible only to administrators.
 * Resets the access permission for publicly-named network shares from Everyone [Full Control] to members of the Administrator group [Full Control].

The tool does not remove the shares themselves but does restrict access to the shares. The SYSTEM account then cannot use the Sysvol share to propagate some group policies, which generates the &quot;Access denied&quot; error and resets all share permissions for file servers and domain controllers.



RESOLUTION
To resolve this behavior, on Microsoft Windows 2000 Server-based domain controllers, reset the share permissions for the %SystemRoot%\SYSVOL\Sysvol folder to the following default permissions:

'''Administrators - Full Control

Authenticated Users - Full Control

Everyone - Read'''

If other shares are affected, you must also set permissions for those shares back to their previous settings.

The file permissions for the Sysvol folder may or may not be affected. Their default settings are as follows:

'''Administrators - Full Control

Authenticated Users - Read, Read and Execute, and List Folder

System - Full Control

Server Operators - Read, Read and Execute, and List Folder'''

These permissions are set for the %SystemRoot%\SYSVOL folder and are marked as inherited (they are checked but dimmed) for the %SystemRoot%\SYSVOL\Sysvol folder.



MORE INFORMATION
The following Symantec Web site is the source of the preceding information about the W32.Nimda.A@mm virus removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.removal.tool.html

For additional information about the default NTFS file system permissions for other folders, click the article number below to view the article in the Microsoft Knowledge Base:

244600 Default NTFS Permissions in Windows 2000

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

For information about how to contact Symantec, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 Hardware and Software Third-Party Vendor Contact List, A-K

60781 Hardware and Software Third-Party Vendor Contact List, L-P

60782 Hardware and Software Third-Party Vendor Contact List, Q-Z

Additional query words: antivirus Winnt

Keywords: kb3rdparty kberrmsg kbnetwork kbprb kbsectools kbsecurity KB312031

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.