Microsoft KB Archive/939218

From BetaArchive Wiki

Article ID: 939218

Article Last Modified on 7/24/2007


APPLIES TO

  • Windows Home Server


Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry


SYMPTOMS

You use Windows Home Server to back up a computer. Then, you try to restore files from a backup file. When you select a backup file by using the Windows Home Server Console, and then you click Open, the Opening Backup dialog box appears as expected. However, when the Opening backup progress indicator reaches approximately three percent, you receive the following error message:

Cannot connect to the backup service on the server. Verify that all services are running.

You experience this problem even if you are a member of the Administrators group on the local computer.

Note If you log on as a different administrator, the backup file opens successfully.

CAUSE

This problem occurs if the following conditions are true:

  • A different administrator installed Windows Home Server Connector.
  • The computer is running Microsoft Windows XP.

This problem occurs because Windows Home Server Connector installs a private key on the client computer when Windows Home Server Connector is installed. This action lets Windows Home Server authenticate the client computer.

This private key is installed by using the default permissions and the default owner. The default owner of this key is not the Administrators group. Instead, the default owner of this key is the administrator who installs Windows Home Server Connector. Therefore, if more than one administrator is configured on the computer, only the administrator who installed Windows Home Server Connector can access the key. By default, no other administrator can access the key.

The private key is required to start the restore operation from Windows Home Server. Therefore, only the administrator who installed Windows Home Server Connector can open the backup file.

Note Although this problem occurs on client computers that are running Windows XP, you might also experience this problem on a Windows Vista-based computer that has more than one administrator. For example, this problem may occur on a Windows Vista-based computer if a third-party program has damaged the folder that contains the private key.

RESOLUTION

Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.

To resolve this problem, use one of the following methods:

  • Manually set permissions on the folder that contains the private key. To do this, you use the CACLS command to grant all administrators Full Control access to all computer-level keys.
  • Turn off the policy that restricts access to only the administrator who installs Windows Home Server Connector. In this scenario, you must modify the registry, and then reinstall Windows Home Server Connector.

To manually set permissions on the private keys

Use the CACLS command to grant all administrators Full Control access to all computer-level keys.

Note Any administrator can take ownership of the keys. Therefore, this action does not significantly reduce security although this action gives all administrators complete access to the computer-level keys.

Important To modify the permissions of these keys, you must be logged on to the computer by using the account of the administrator who installed Windows Home Server Connector.

To grant all administrators Full Control access to all computer-level keys, follow these steps:

  1. Log on as the administrator who installed Windows Home Server Connector.
  2. Exit Windows Home Server Console.
  3. Click Start, click Run, type cmd, and then click OK.
  4. At the command prompt, type the following command, and then press ENTER:

    cacls "%allusersprofile%\Application Data\Microsoft\Crypto\RSA\MachineKeys\*" /C /E /G Administrators:F

  5. Exit the command prompt, and then log on the computer by using the administrator account that you want to use to restore the backed up files.

Note Although any administrator can take control of the items in the MachineKeys folder, you may not want to explicitly grant rights to all the entries in this folder to the Administrators group. Instead, you may want to grant rights to only the key that Windows Home Server Connector uses. To do this, follow these steps:

  1. Log on as the administrator who installed Windows Home Server Connector.
  2. Exit Windows Home Server Console.
  3. Click Start, click Run, type %allusersprofile%\application data\microsoft\crypto\rsa\machinekeys, and then click OK.

    The MachineKeys window appears. In this window, many 2 kilobyte files may appear. These files have GUIDs for file names.
  4. Determine which files were created when Windows Home Server Connector was installed. To do this, right-click a file, and then click Properties. The date that the file was created appears on the General tab.
  5. Run the CACLS command to modify the permissions of each file that was created when Windows Home Server Connector was installed. To do this, follow these steps:
    1. Click Start, click Run, type cmd, and then click OK.
    2. At the command prompt, type the following command, and then press ENTER:

      cacls "%allusersprofile%\Application Data\Microsoft\Crypto\RSA\MachineKeys\file_name" /E /G Administrators:F

      In this command, replace file_name with the name of the file that you want to modify. For example, type a command that resembles the following:

      cacls "%ALLUSERSPROFILE%\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a679584c5b172f68ccc3cd77e5e448c_6ce0dc71-7fe8-4794-a125-c5bcacfbe6bc" /E /G Administrators:F

    3. Repeat step b for each file that was created when Windows Home Server Connector was installed.
  6. Exit the command prompt, and then log on the computer by using the administrator account that you want to use to restore the backed up files.

To turn off the policy that restricts access to the keys

Method 1: All versions of Windows XP

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  3. In the details pane, right-click nodefaultadminowner, and then click Modify.
  4. In the Value data box, type 0 (zero), and then click OK.
  5. Exit Registry Editor, and then reinstall Windows Home Server Connector.
  6. After Windows Home Server Connector has been reinstalled, modify the registry to set the nodefaultadminowner registry entry to 1 (one).

Method 2: Versions of Windows XP other than Windows XP Home Edition

  1. Click Start, click Run, type secpol.msc, and then click OK.
  2. In Local Security Settings, expand Local Policies, and then click Security Options.
  3. In the details pane, right-click System objects: Default owner for objects created by members of the Administrators group, and then click Properties.
  4. In the System objects: Default owner for objects created by members of the Administrators group list, click Administrators group, and then click OK.
  5. Exit Local Security Settings.


REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

318825 Changes to the behavior of the default discretionary access control list (DACL) for administrators on a Windows XP-based system


Keywords: kbregistry kbbackup kbexpertiseadvanced kbtshoot kberrmsg kbprb KB939218



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/939218&oldid=230982
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki