Microsoft KB Archive/237399

= The Default NTFS Permissions Are Not Applied to a Converted Boot Partition =

Article ID: 237399

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q237399



SUMMARY
When you install Windows 2000 to an NTFS file system partition, part of the set up process is to apply default security settings to the system files and folders located on the boot partition.

If you initially installed Windows 2000 to a FAT or FAT32 partition, and then later used the Convert.exe utility to convert the partition to NTFS, default security settings are not applied. To apply default Security settings after a convert you can use the below steps to apply "setup security.inf" to the system. However, in Windows 2000 Microsoft does not support setting security on already installed files to match NTFS security after a convert from FAT(32). To get a file permission that matches the security settings of a NTFS install, the system must be formatted and reinstalled selecting NTFS as the file system during the text portion of the Windows 2000 install. If a clean install is not possible, you can perform an in-place upgrade of the system after the files system has been converted to NTFS. The upgrade will address the file permission of all operating system components, however any program that had custom security will not have the correct permissions set. If you want, you can create a user defined .inf file that contains custom security settings for additional files and folders and apply them the same way.

You may also want to re-apply default NTFS permissions to the system boot partition if you accidentally removed access to parts of the file system you must have for the operating system to function properly.



MORE INFORMATION
During setup on an NTFS partition, an Access Control List (ACL) is created for the file system using a predefined set of default security templates. Additionally, components that use the Setup API can also use the [.security] section in their installation (.inf) file(s) to specify their own file security. Both the permissions from the default security templates and the permissions that are set by the .inf files are captured into one "setup security.inf" template.

During setup onto a FAT partition, the same "setup security.inf" template is created. This "setup security.inf" template can be used to set default permissions after using the Convert.exe utility to convert the FAT partition to NTFS.

The following procedure only applies default NTFS security settings to the %Windir% and "Program Files" folders and optional components that get installed through OCM and specifies their security in their INFs and does not apply security to the "Documents and Settings" folder. Although applying "setup security.inf" applies default NTFS permission it will not result in security settings that match a clean NTFS install, security settings that are missing include:
 * All the security set by all optional components that get installed and set their own custom security programmatically.
 * Any system components that change the security on the files/folders they own, including:"Profiles", "Tasks", "Installer", "appmgmt", and "GroupPolicy".
 * All programs custom security.

To Apply Default NTFS Security to a Windows 2000 NTFS Boot Partition
WARNING: You must have a full backup of the boot partition before you try this procedure.

 Log on to the workstation or server with administrator rights. At a command prompt, type the following command:  

Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg "%SYSTEMROOT%\security\templates\setup security.inf" /areas filestore

NOTE: After security permissions are applied, you may receive the following message that can be ignored:

Task is completed. Some files in the configuration are not found on this system so security cannot be set/queried.

See the %windir%\security\logs\scesrv.log file for detailed information.

 View the NTFS security settings on the Windows 2000 system files and folders and note that additional security has been applied.

NOTE: You may also want to re-apply default NTFS permissions to the system boot partition if you accidentally removed access to parts of the file system you must have for the operating system to function properly, however the computer must still be startable for this procedure to work.

If the Computer Does Not Start and Generates a STOP 0xC000021A Error Message on a Blue Screen
If the administrator has modified permissions, restarted the computer, and now receives an error message on a blue screen, the most likely cause is that the SYSTEM account does not have the required permissions to provide access to the system files and folders.

To restore access to the boot partition:  Install a new installation of Windows 2000 onto a separate partition or drive.

WARNING: If you install a new installation of Windows 2000 in the same folder as the existing installation, you will delete the existing installation, including all existing accounts.</li> Boot to the new installation of Windows 2000.</li> Use Windows Explorer to give the "System" account full control of the original volumes root folder and all system files and folders. You can now boot to the original installation of Windows 2000.</li> Follow the first two instructions in this list to restore default NTFS security permissions on your system boot partition.

NOTE: For computers running Microsoft Windows NT versions 3.5, 3.51, or 4.0, see the following Microsoft Knowledge Base article:

153094 Restoring Default Permissions to Windows NT System Files

</li></ol>

Additional query words: setacl 0xc21a c21a

Keywords: kbenv kbprb kbui KB237399

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.