Microsoft KB Archive/816818

From BetaArchive Wiki
< Microsoft KB Archive
Revision as of 09:27, 21 July 2020 by X010 (talk | contribs) (Text replacement - "<" to "<")

Article ID: 816818

Article Last Modified on 10/17/2007


APPLIES TO

  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Server 4.0, Terminal Server Edition
  • Microsoft Windows NT Server 4.0 Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition




IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry


SYMPTOMS

If you are using a Windows 2000-based computer and you try to modify the NTFS file system permissions on a file or folder on a network share, you may receive one of the following error messages:

Object Picker cannot open because it cannot determine whether Network Name Resource is joined to a domain.

In this error message, Network Name Resource is the NetBIOS name (or fully qualified domain name [FQDN]) of the computer you are trying to access. When you click Close, you receive the following error message:

Unable to display the user selection dialog.
Access is denied.

If you are using a Windows NT 4.0-based computer, you may receive the following error message when you try to add entries to the Access Control List (ACL):

Access Denied

You receive this error message if the environment includes a Windows NT 4.0 domain that has a Windows NT 4.0-based server and a Windows 2000 Professional-based client computer. You may receive the error message when you change permissions on a member server only, but you may not receive the error message on a domain controller (primary domain controller [PDC] or backup domain controller [BDC]).

You may also experience the following problems:

  • Users or groups that have Full Control access cannot delegate permissions.
  • Users who have Full Control access cannot make permission changes on a DFS share.
  • If you give the non-privileged user the right to log on locally and you log on locally to the file server where the error message occurs, you can successfully edit the ACL.

If you are using a Windows 2003-based computer and if you try to modify the NTFS file system permissions on a file or on a folder on a network share, you may receive the following error message:

The program cannot open the required dialog box because it cannot determine whether the computer named "Network Name Resource" is joined to a domain. Close this message, and try again.

In this error message, Network Name Resource is the NetBIOS name or the fully qualified domain name (FQDN) of the computer that you are trying to access. When you click Close, you receive the following error message:

Unable to display the user selection dialog. The RPC server is unavailable.

RESOLUTION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To troubleshoot this problem, perform each of the following troubleshooting steps. After you complete each step, see if you can delegate permissions. If you still cannot delegate permissions, continue to the next step.

Step 1: Confirm the TCP/IP NetBIOS Settings

  1. Verify that Netbios over TCP is selected in the Advanced TCP settings on the Windows 2000-based computer.
  2. Verify that the TCP/IP NetBIOS Helper (LmHosts) service is enabled and started on the domain controllers and on all member servers.

Step 2: Confirm That There Are No Access Restrictions to the Registry

  • Verify that 'System\CurrentControlSet\Control\ProductOptions' is listed in the Machine value:
    1. Start Registry Editor.
    2. Locate and then click the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths

    3. Confirm the following settings:

      Value: Machine
      Type: REG_MULTI_SZ - Multi string
      Default Data:
      System\CurrentControlSet\Control\ProductOptions
      System\CurrentControlSet\Control\Print\Printers
      System\CurrentControlSet\Control\Server Applications
      System\CurrentControlSet\Services\Eventlog
      Software\Microsoft\Windows NT\CurrentVersion

    The valid range for the Machine value is a valid path to a location in the registry. The purpose of the Machine value is to allow computer access to listed locations in the registry, provided that no explicit access restriction exists for that location.
  • Verify that the winreg registry key has Read permissions for the System account:
    1. Start Registry Editor.
    2. Locate and then click the following registry key:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

    3. In the Edit menu, click Permissions, and then make sure that the System account has Read permissions for key.

    If the winreg registry key does not have the correct permissions, you can export the registry key from a server that works to the server you are trying to access.

    For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    314837 How to manage remote access to the registry

Step 3: Confirm that Anonymous Connections Can Perform Enumeration Functions

Confirm the following registry settings on the member servers that you are trying to access:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 0


The purpose of the registry value is to configure local system policy to determine whether authentication is required to perform common enumeration functions. You can configure the account name list to require authentication. This authentication requirement is an optional feature.

When the RestrictAnonymous value is set to 1, anonymous connections that are generated from the Graphical User Interface (GUI) tools for security management receive an "access denied" error message when these connections try to obtain the list of account names.

For additional information about the "RestrictAnonymous" registry value, click the following article number to view the article in the Microsoft Knowledge Base:

178640 Could not find domain controller when establishing a trust


Step 4: Confirm SMB Signing Settings

You may receive the error message that is described in the "Symptoms" section of this article if SMB Signing is turned on and if it is required. To confirm that SMB Signing is not turned on and that it is not required:

  1. Start Registry Editor.
  2. Locate and then click the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters

    This key contains the following values:

    Value Name: EnableSecuritySignature
    Data Type: REG_DWORD
    Data: 0 (disable), 1 (enable)

    Value Name: RequireSecuritySignature
    Type: REG_DWORD
    Value: 0 (disable), 1 (enable)
    Default: 0

  3. Set the EnableSecuritySignature value and the RequireSecuritySignature value to 0 (zero).

For additional information about this registry key, click the following article number to view the article in the Microsoft Knowledge Base:

161372 How to enable SMB signing in Windows NT


Step 5: Confirm that the domain controller is reachable

If you cannot view or make permission changes on a Distributed File System (DFS) share, verify that you can reach the domain controller by testing name resolution. If your DNS server returns a list of IP addresses for domain controllers, your computer pings the first IP address to check connectivity. After a successful ping reply, the client tries to connect to the domain controller by using the SMB protocol. If this step fails, you receive the "Object Picker" error message.

MORE INFORMATION

  • You can use the Windows NT Cacls.exe utility to verify correct permission settings.
  • When you view a network trace that was captured with Network Monitor, you may see SMB STATUS_ACCESS_DENIED and RPC 'Return Value = 5 (0x5)'. This return value corresponds to the 'Access Denied' error in remote procedure calls (RPC) when a named pipe to winreg is opened.

Additional Scenarios Where This Problem May Occur

In a Clustered File Share

The error messages that are described in the "Symptoms" section may occur if the share is located on a cluster server as a file share resource, and if all of the following conditions exist:

  • Microsoft SQL 7.0 is installed on the cluster server, and this cluster server was configured as a cluster resource in an active/passive configuration by using the SQL Failover Wizard.
  • The file share that you are connecting to is hosted by a cluster server as a file share resource.
  • The file share source is located on the same hard disk as SQL 7.0 on the cluster server, and it is located in the same resource group as SQL 7.0.
  • You are trying to modify NTFS permissions on a file that is located on the cluster server by using a user account that does not have administrator credentials on the cluster server.

If these conditions exist, create the File Share resource in a different cluster resource group and on a different hard disk than the hard disk where SQL 7.0 is installed.

For additional information about this procedure, click the following article number to view the article in the Microsoft Knowledge Base:

267833 Cannot set NTFS permissions on files located on clustered file share resource


In Microsoft SharePoint Portal Server

If you use Web folders to gain access to a workspace, user accounts may not appear on the Security tab in the properties of a folder. If you try to add an account, you may receive the error message described in the "Symptoms" section.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

309353 You cannot view security information when you are connected with virtual hosting or the server


REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

157475 Access denied when trying to add ACL entries


153183 How to restrict access to the registry from a remote computer


143474 Restricting information available to anonymous logon users


263231 Error Message: Object Picker cannot open because no locations from which to choose objects could be found


284914 Error Message: Object Picker Cannot Open Because No Locations from Which to Choose Objects Could Be Found


323170 How to backup, edit, and restore the registry in Windows NT 4.0


322755 How to backup, edit, and restore the Registry in Windows 2000



Additional query words: Objectpicker, STATUS_ACCESS_DENIED 0xC0000022, remote registry, Remote Procedure Call (RPC)

Keywords: kbprb KB816818



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/816818&oldid=303718
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki