Microsoft KB Archive/311444

= Creator/Owner Rights Are Removed by Policy Editor =

Article ID: 311444

Article Last Modified on 2/20/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q311444



SYMPTOMS
When you edit a file or registry security policy by using Policy Editor or the Security Template Editor snap-in, rights may be granted or denied to the creator/owner. If the Applies to option is set to This folder, subfolders, and files or This key and subkeys, it is reset to Subfolders and files only or Subkeys only when you confirm the changes by clicking Apply or OK.

This can result in the loss of previously granted or denied rights, and may cause services or programs not to work. For example, changing the default permission on the following registry key as defined in the Basicdc.inf file causes the installation of Windows 2000 Service Pack 2 (SP2) not to succeed:

MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security



RESOLUTION
To resolve this problem, obtain the latest service pack for Microsoft Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack



WORKAROUND
To work around this problem, use Notepad to modify the security template and set the correct permission for the creator/owner. For example, to set the permission on MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security to the default settings as defined in the Basicdc.inf file, modify the following line from

MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security&quot;,2,&quot;D:PAR(A;CI;KR;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)

to the following:

MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security&quot;,2,&quot;D:P(A;CI;GR;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)

Note that modifying the template directly risks losing the settings each time someone edits the template by using the Security Template Editor snap-in. Therefore, Microsoft recommends that you set the right explicitly for the corresponding user in Policy Editor. In the example in this article, this would require granting Full Control permissions to the administrator.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Microsoft Windows 2000 Service Pack 4.

Additional query words: kbMgmtAdmin

Keywords: kbbug kbfix kbqfe kbsysadmin kbsecurity kbgrppolicyprob kbwin2ksp4fix kbhotfixserver KB311444

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.