Article ID: 929819
Article Last Modified on 3/19/2007
APPLIES TO
- Windows Vista Ultimate
- Windows Vista Enterprise
- Windows Vista Business
- Windows Vista Home Premium
- Windows Vista Home Basic
- Windows Vista Ultimate 64-bit edition
- Windows Vista Enterprise 64-bit edition
- Windows Vista Business 64-bit edition
- Windows Vista Home Premium 64-bit edition
- Windows Vista Home Basic 64-bit edition
- Windows Vista Starter
SYMPTOMS
When you configure a Windows Vista-based computer by using a security template that contains security descriptors for Windows Resource Protection (WRP) resources, the results are unpredictable.
CAUSE
This problem occurs because security templates are always configured by using the LocalSystem account instead of by using the account of the user who is configuring the security template. WRP resources are configured as read-only for the LocalSystem account. To configure security descriptors for a WRP resource, the Security Templates snap-in must take ownership of the resource, configure the security descriptor, and then restore ownership to the TrustedInstaller group. This method does not work to recursively configure security descriptors for all members of a WRP container. The Security Templates snap-in can recursively take ownership of all members of a container and then configure the container's security descriptor. However, the Security Templates snap-in cannot restore ownership of a member to the prior owner without keeping a record of the prior owner of every member in the container. Therefore, configuring security descriptors for WRP resources leads to unpredictable results and is not supported.
RESOLUTION
To resolve this problem, do not use the Security Templates snap-in to set access control lists (ACLs) for WRP resources.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Keywords: kbacl kbtshoot kbprb KB929819