MORE INFORMATION

During setup on an NTFS partition, an Access Control List (ACL) is created for the file system using a predefined set of default security templates. Additionally, components that use the Setup API can also use the [.security] section in their installation (.inf) file(s) to specify their own file security. Both the permissions from the default security templates and the permissions that are set by the .inf files are captured into one "setup security.inf" template.

During setup onto a FAT partition, the same "setup security.inf" template is created. This "setup security.inf" template can be used to set default permissions after using the Convert.exe utility to convert the FAT partition to NTFS.

The following procedure only applies default NTFS security settings to the %Windir% and "Program Files" folders and optional components that get installed through OCM and specifies their security in their INFs and does not apply security to the "Documents and Settings" folder. Although applying "setup security.inf" applies default NTFS permission it will not result in security settings that match a clean NTFS install, security settings that are missing include:

• All the security set by all optional components that get installed and set their own custom security programmatically.
• Any system components that change the security on the files/folders they own, including:"Profiles", "Tasks", "Installer", "appmgmt", and "GroupPolicy".
• All programs custom security.

To Apply Default NTFS Security to a Windows 2000 NTFS Boot Partition

WARNING: You must have a full backup of the boot partition before you try this procedure.

1. Log on to the workstation or server with administrator rights.
2. At a command prompt, type the following command:

   • Secedit /configure /db %SYSTEMROOT%\security\database\cvtfs.sdb /Cfg "%SYSTEMROOT%\security\templates\setup security.inf" /areas filestore

     NOTE: After security permissions are applied, you may receive the following message that can be ignored:
     
     Task is completed. Some files in the configuration are not found on this system so security cannot be set/queried.
     
     

     See the %windir%\security\logs\scesrv.log file for detailed information.

   
   

3. View the NTFS security settings on the Windows 2000 system files and folders and note that additional security has been applied.
   
   NOTE: You may also want to re-apply default NTFS permissions to the system boot partition if you accidentally removed access to parts of the file system you must have for the operating system to function properly, however the computer must still be startable for this procedure to work.

If the Computer Does Not Start and Generates a STOP 0xC000021A Error Message on a Blue Screen

If the administrator has modified permissions, restarted the computer, and now receives an error message on a blue screen, the most likely cause is that the SYSTEM account does not have the required permissions to provide access to the system files and folders.

To restore access to the boot partition:

1. Install a new installation of Windows 2000 onto a separate partition or drive.
   
   WARNING: If you install a new installation of Windows 2000 in the same folder as the existing installation, you will delete the existing installation, including all existing accounts.
2. Boot to the new installation of Windows 2000.
3. Use Windows Explorer to give the "System" account full control of the original volumes root folder and all system files and folders. You can now boot to the original installation of Windows 2000.
4. Follow the first two instructions in this list to restore default NTFS security permissions on your system boot partition.
   
   NOTE: For computers running Microsoft Windows NT versions 3.5, 3.51, or 4.0, see the following Microsoft Knowledge Base article:
   
   

   153094 Restoring Default Permissions to Windows NT System Files