RE: Windows 2000 to Windows 2003 Upgrade!

From: Feng Mao (fengmao_at_online.microsoft.com)
Date: 08/02/04 

Date: Mon, 02 Aug 2004 12:36:42 GMT

Hi Alan,

Thank you for posting!

First, I would like to verify whether Domain Admins group is in Local
Administrators group. As you know, sometimes, for some reason, Domain
Admins group was removed from Local Administrators group. Also, I would
like to know if Local Administrator account can modify local security
policy settings.

Your problem can also be related to the permission settings for the
registry keys. The below is the source code of a batch file to help you
refresh the permissoin settings and grant the full control permission to
local administrators and system.

===============
subinacl /subdirectories %SystemDrive% /setowner=<DOMAIN>\administrators
subinacl /subkeyreg HKEY_LOCAL_MACHINE /setowner=<DOMAIN>\administrators
subinacl /subkeyreg HKEY_CURRENT_USER /setowner=<DOMAIN>\administrators

subinacl /subdirectories %SystemDrive% /grant=<DOMAIN>\administrators=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=<DOMAIN>\administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=<DOMAIN>\administrators=f

subinacl /subdirectories %SystemDrive% /grant=system=f
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=systems=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
===================

SubInACL can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
93cf-ed6985e3927b&displaylang=en.

You can copy the code between ============ and paste in a NotePad, then
save it as REFRESH.BAT. Please the .BAT to the same folder as SubInACL.exe
and then run the batch file. It may take you tens of minutes to finish the
process.

I hope that it is helpful.

Have a nice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: alaniski@hotmail.com (Alan van Wyk)
| Newsgroups: microsoft.public.windows.server.migration
| Subject: Windows 2000 to Windows 2003 Upgrade!
| Date: 30 Jul 2004 06:33:39 -0700
| Organization: http://groups.google.com
| Lines: 69
| Message-ID: <4dcb4177.0407300533.493248c2@posting.google.com>
| NNTP-Posting-Host: 213.146.148.199
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 8bit
| X-Trace: posting.google.com 1091194419 651 127.0.0.1 (30 Jul 2004
13:33:39 GMT)
| X-Complaints-To: groups-abuse@google.com
| NNTP-Posting-Date: Fri, 30 Jul 2004 13:33:39 +0000 (UTC)
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.s
ul.t-online.de!t-online.de!fr.ip.ndsoftware.net!proxad.net!postnews2.google.
com!not-for-mail
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windows.server.migration:12508
| X-Tomcat-NG: microsoft.public.windows.server.migration
|
| We are busy upgrading our Windows 2000 Network to Windows 2003!
| The problem is this:
|
| I currently have a Domain with 35 DCs . . .
| I have upgraded my first 2 File Servers(not DCS) to Windows 2003 and
| have found the proccess to run pretty smoothly! The problem however is
| that the new security restrictions have restricted me from being able
| to perform task I have before!
|
| Firstly, I log on as a Domain Admin, yet I am not able to
| 1) Modify local security policy Settings
| 2) When I run GPResult I get "INFO: The user does not have RSOP data."
| 3) Administrative VBScripts etc that used to run before no longer seem
| to function - quite often I get WMI - Access Denied Type errors! -
| Also, my VBScript logon script will not run for this reason(Seems WMI
| security has been tightened too much)
| 4) When I run the Group Policy Results Wizard, I get a greyed out
| 'Next' button on the second page
| 5) RSOP.msc returns "The Rsop Snap-in was unable to generate the
| computer or User's data due to insufficient permissions. - Access is
| denied!
| 6) WMI Scripts that were used to work from remote locations when these
| machines were Windows 2000, no longer work!
|
| Surely, if I am logged on as a domain admin I should be able to access
| these?
|
|
| I suspect the problems are being caused by one of the following:
|
| 1) GPOs not being applied fully
| 2) WMI security permissions being tied down too tightly
| 3) WMI corrupt(though I have re-installed it on both machines)
| 4) Some sort of 'impersonation level' issue
|
|
| Does anyone out there have any clues what might cause any of the above
| errors? these are holding the deployment of my 2003 back rather
| frustratingly!
|
| I have pulled all my hair out and am now bald, but still have not
| found a solution!
|
| Please could someone help?
|
| The only Error log I can found that might give me a clue is this:
|
| Event Type: Warning
| Event Source: WinMgmt
| Event Category: None
| Event ID: 63
| Date: 29/07/2004
| Time: 15:21:36
| User: NT AUTHORITY\SYSTEM
| Computer: FPSLONBCK
| Description:
| A provider, PerfProv, has been registered in the WMI namespace,
| Root\default, to use the LocalSystem account. This account is
| privileged and the provider may cause a security violation if it does
| not correctly impersonate user requests.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
| It was created when I was removing and re-adding WMI!
|
| Thanks
|
| Alan van Wyk
|