RE: ISA 2004 REPORT FAILURE

Hi Chris,

Thanks for your update.

Do you mean the NETWORK SERVICES permissions are still missing from the ISA
folders after a clean boot? If so, I suggest we restart the computer in
Safe Mode with Network to see if the problem also occurs in this mode. Safe
Mode loads a minimally protected-mode configuration, disabling Windows
device drivers and using the standard VGA display adapter.

1. Restart the computer.
2. Keep pressing F8 key until the Windows Startup menu appears.
3. Choose the Safe Mode with Network, and press Enter.

Note: Some third party applications and hardware devices cannot be used
during Safe Mode.

Also you can enable Audit log in Event log to do so. I provide the detailed
steps on SBS for your reference:

1. Click Start, click Run, type "gpmc.msc" and click OK.
2. Expand Domains -> your domain -> Domain Controllers.
3. Right-click Small Business Server Auditing Policy and click Edit.
4. Expand Computer Configuration -> Windows Settings -> Security Settings
-> Local Policies -> Audit Policy.
5. In the right pane, double-click "Audit object access".
6. To audit successful access of specified files, folders, select the
Success check box.
7. To audit unsuccessful access to these objects, select the Failure check
box.
8. To enable auditing of both, select both check boxes.
9. Click OK.
10. Run "gpupdate /force" or restart the computer so that the policy takes
effect on SBS.

After you enable auditing, you need to specify the files, folders that you
want audited. To do so:

1. In Windows Explorer, locate the file or folder you want to audit.
2. Right-click the file, folder that you want to audit, and then click
Properties.
3. Click the Security tab, and then click Advanced.
4. Click the Auditing tab, and then click Add.
5. In the "Enter the object name to select" box, type the name of the user
or group whose access you want to audit. You can browse the computer for
names by clicking Advanced, and then clicking Find Now in the "Select User
or Group" dialog box.
6. Click OK.
7. Select the Successful or Failed check boxes for the actions you want to
audit, and then click OK.
8. Click OK, and then click OK.

After that, you may check the Security event log to find who change the
permission.

Please Note: Frankly, checking the security event log to track which user
update certain public folder is not an easy way since there are bunch of
logs there.

More information:

174073 Auditing User Authentication
http://support.microsoft.com/?id=174073

Using Audit Policies to Secure Your Windows 2000 Network
http://whidbey.msdn.microsoft.com/library/default.asp?url=/library/en-us/dne
xnt00/html/ewn0054.asp

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4642-
b287-c31115ef10a4&displaylang=en

Thanks for your time and I look forward to your reply.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: ISA 2004 REPORT FAILURE
| thread-index: AcbXmIzTpClj8CgDQkKg+6UsGjRT+g==
| X-WBNR-Posting-Host: 165.228.6.71
| From: =?Utf-8?B?Q2hyaXM=?= <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <FF4294D7-2EF1-40CA-81FA-E9CB39034A78@xxxxxxxxxxxxx>
<ILUZLSj0GHA.4548@xxxxxxxxxxxxxxxxxxxxx>
<07BEA69F-B40E-48D3-AE5B-0ED4C159E081@xxxxxxxxxxxxx>
<RNDvMux0GHA.4220@xxxxxxxxxxxxxxxxxxxxx>
<6A9614B3-A043-4BAB-910A-841342CBDAD6@xxxxxxxxxxxxx>
<E656A05E-0C97-41F8-9AA8-DDFD556C1D43@xxxxxxxxxxxxx>
<8gyZBeV1GHA.4280@xxxxxxxxxxxxxxxxxxxxx>
<8E1EAD7C-1659-4705-A8F4-04082878759E@xxxxxxxxxxxxx>
<152F6CA4-140E-409E-AD45-D2133110A214@xxxxxxxxxxxxx>
<qhczxTx1GHA.2156@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: ISA 2004 REPORT FAILURE
| Date: Wed, 13 Sep 2006 17:56:02 -0700
| Lines: 348
| Message-ID: <E6DC629E-C6F4-4568-92A9-79DCA771D0D0@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:297418
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Registry key is as you have noted, so did not change
| and still receive the event.
|
| Update on Restart procedure.
| performed steps 1 to 6
| machine restarted ok
| NETOWRK SERVICES Permissions remained
| Received a service failed to load message
| on inspecting services list the microsoft firewall service failed to load
|
| Events in the application log was as follows
|
| Event id 14127
| The web proxy filter could not initialise
| Error code 505.112.4.0.2165.594
|
| Event id 14060
| Cannot load an application filter Web Proxy Filter
| 4CB7513E-220E-4C20-815A-1367BAA295FF4
| FilterInit fail with error code 0x80070005
|
| Evenit id 14001
| Firewall service failed to initilize
|
| only way to start firewall was to reapply ISA 2004 SP2
| this stopped ISA server related services
| copied new files
| registered modules
| started services
| started ISA server related services
| and finished
|
| Still had to manually start the firewall, POP3, Exchange routing engine,
| SMTP and WWW publishing services, but these started with no problems
|
| Machine is now back to state before restart with
| all services ok, all system running fine until the next
| morning when i expect ISA reports will fail
| due to NETWORK SERVICES missing on folders
| Have not restarted server since.
|
| Your thougts on this ?
|
| Thanks
| Chris
|
| ""Crina Li"" wrote:
|
| > Hi Chris,
| >
| > Thanks for your update.
| >
| > Based on my research, 1704 SceCli may occur if the registry information
| > regarding Group Policy refresh has been set inappropriately. Please
| > perform the following steps:
| >
| > 1. Open Registry Editor.
| > 2. Locate to the following key:
| >
| > HKLM\SOFTWARE\Microsoft\Windows
| >
NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83
| > A}
| >
| > 3. Modify the Value MaxNoGPOListChangesInterval to 3c0
| >
| > This is the default value and it will reset "forced policy"
re-application
| > to 16 hours (960 minutes).
| >
| > For more detailed information regarding this value, please refer to the
| > following KB article:
| >
| > 277543 How to delay security policies from being applied
| > http://support.microsoft.com/?id=277543
| >
| > Thanks for your time and I look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| > --------------------
| > | Thread-Topic: ISA 2004 REPORT FAILURE
| > | thread-index: AcbWv5kgOULIoqppRMa8KeZCf+M36A==
| > | X-WBNR-Posting-Host: 165.228.6.71
| > | From: =?Utf-8?B?Q2hyaXM=?= <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | References: <FF4294D7-2EF1-40CA-81FA-E9CB39034A78@xxxxxxxxxxxxx>
| > <ILUZLSj0GHA.4548@xxxxxxxxxxxxxxxxxxxxx>
| > <07BEA69F-B40E-48D3-AE5B-0ED4C159E081@xxxxxxxxxxxxx>
| > <RNDvMux0GHA.4220@xxxxxxxxxxxxxxxxxxxxx>
| > <6A9614B3-A043-4BAB-910A-841342CBDAD6@xxxxxxxxxxxxx>
| > <E656A05E-0C97-41F8-9AA8-DDFD556C1D43@xxxxxxxxxxxxx>
| > <8gyZBeV1GHA.4280@xxxxxxxxxxxxxxxxxxxxx>
| > <8E1EAD7C-1659-4705-A8F4-04082878759E@xxxxxxxxxxxxx>
| > | Subject: RE: ISA 2004 REPORT FAILURE
| > | Date: Tue, 12 Sep 2006 16:03:02 -0700
| > | Lines: 332
| > | Message-ID: <152F6CA4-140E-409E-AD45-D2133110A214@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | Path: TK2MSFTNGXA01.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:297095
| > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Have not had a spare moment yet to cycle the server
| > | to test your options, but planning to do so in the next
| > | few days.
| > |
| > | Thought id pass on a few observations.
| > |
| > | Reset the NETWORK SERVICES permissions before leaving
| > | work last night, check remotly on the server at about 10pm
| > | and they were still there. This morning permissions were
| > | missing again.
| > |
| > | Checked the application event log and the only log entry
| > | of any interest between 10pm and 8am was an event 1704 SceCli
| > | stating Security policy in the Group policy objects as been applied
| > | successfully
| > | all other events between 10pm and 8am were normal stuff
| > |
| > | apparently policies get updated on reboot, that is why i guess
| > | you want me to do a clean reboot to see if the permissions change.
| > |
| > | Again as the small business server is used constantly will try asap
| > | to confirm above following the steps outlided by yoursef.
| > |
| > | would be interesting to know if my above observations indicate
| > | something that may help resolve problem.
| > |
| > | thanks.
| > |
| > | Chris
| > |
| > | "Chris" wrote:
| > |
| > | > Thanks again for the quick reply,
| > | > When I add back the NETWORK SERVICES permissions
| > | > to the folders, they stay until the next morning, at which
| > | > time the ISA reports fail because the permissions have
| > | > been removed. The only thing running at night is
| > | > backup exec from a member server, backing up the
| > | > exchange and the whole small business server.
| > | >
| > | > I will find some down time for the server and try steps 1 - 6
| > | > to see if the permissions remain after the reboot and
| > | > advise.
| > | >
| > | > thanks for the info
| > | >
| > | > Regards
| > | > Chris
| > | >
| > | > ""Crina Li"" wrote:
| > | >
| > | > > Hi Chris,
| > | > >
| > | > > Thanks for your update.
| > | > >
| > | > > Do you mean Network Services will be removed for c:\Program
| > files\Microsoft
| > | > > ISA Server folder? After you adding it again, does it still
disappear?
| > | > >
| > | > > As for the unknown SID S-1-5-32-547, it is the SID for "Power
Users"
| > group.
| > | > > This group only exists on member servers and workstations' local
SAM
| > | > > database. After you upgrade the computer to a domain controller,
it
| > will
| > | > > show as unknown SID.
| > | > >
| > | > > As for the missing of Network Services, please try to perform a
clean
| > boot
| > | > > on SBS to see how thing goes:
| > | > >
| > | > > 1. Click Start, click Run, and then in the Open box, type
"MSCONFIG"
| > | > > (without the quotation marks). Click OK.
| > | > > 2. In the System Configuration Utility (MSConfig) window, click
to
| > select
| > | > > the Selective Startup button.
| > | > > 3. Click to clear the check mark from the "Load startup items"
below
| > | > > Selective Startup.
| > | > > 4. Click the Services tab, click to check the "Hide All Microsoft
| > Services"
| > | > > box, and remove all the check marks from the remained
Non-Microsoft
| > | > > Services. Please note that the Exchange services could be marked
as
| > | > > non-Microsoft. Please do not disable those services.
| > | > > 5. Click OK to close the MSConfig window. Click Yes when you are
| > asked to
| > | > > restart your computer in order to enable the changes.
| > | > > 6. After restarting, please check whether this issue will reoccur.
| > | > >
| > | > > Related information:
| > | > >
| > | > > 827016 Local Service and other well-known security principals do
not
| > appear
| > | > > on your Windows Server 2003 domain controller
| > | > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;827016
| > | > >
| > | > > I appreciate your time and look forward to hearing from you.
| > | > >
| > | > > Best regards,
| > | > >
| > | > > Crina Li (MSFT)
| > | > >
| > | > > Microsoft CSS Online Newsgroup Support
| > | > >
| > | > > Get Secure! - www.microsoft.com/security
| > | > >
| > | > > =====================================================
| > | > > This newsgroup only focuses on SBS technical issues. If you have
| > issues
| > | > > regarding other Microsoft products, you'd better post in the
| > corresponding
| > | > > newsgroups so that they can be resolved in an efficient and
timely
| > manner.
| > | > > You can locate the newsgroup here:
| > | > > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| > | > >
| > | > > When opening a new thread via the web interface, we recommend you
| > check the
| > | > > "Notify me of replies" box to receive e-mail notifications when
there
| > are
| > | > > any updates in your thread. When responding to posts via your
| > newsreader,
| > | > > please "Reply to Group" so that others may learn and benefit from
| > your
| > | > > issue.
| > | > >
| > | > > Microsoft engineers can only focus on one issue per thread.
Although
| > we
| > | > > provide other information for your reference, we recommend you
post
| > | > > different incidents in different threads to keep the thread
clean. In
| > doing
| > | > > so, it will ensure your issues are resolved in a timely manner.
| > | > >
| > | > > For urgent issues, you may want to contact Microsoft CSS
directly.
| > Please
| > | > > check http://support.microsoft.com for regional support phone
numbers.
| > | > >
| > | > > Any input or comments in this thread are highly appreciated.
| > | > >
| > | > > =====================================================
| > | > >
| > | > > This posting is provided "AS IS" with no warranties, and confers
no
| > rights.
| > | > > --------------------
| > | > > | Thread-Topic: ISA 2004 REPORT FAILURE
| > | > > | thread-index: AcbVJrMO6v8XNTBySmCE+bNfsz0HbA==
| > | > > | X-WBNR-Posting-Host: 165.228.6.71
| > | > > | From: =?Utf-8?B?Q2hyaXM=?= <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | > > | References:
<FF4294D7-2EF1-40CA-81FA-E9CB39034A78@xxxxxxxxxxxxx>
| > | > > <ILUZLSj0GHA.4548@xxxxxxxxxxxxxxxxxxxxx>
| > | > > <07BEA69F-B40E-48D3-AE5B-0ED4C159E081@xxxxxxxxxxxxx>
| > | > > <RNDvMux0GHA.4220@xxxxxxxxxxxxxxxxxxxxx>
| > | > > <6A9614B3-A043-4BAB-910A-841342CBDAD6@xxxxxxxxxxxxx>
| > | > > | Subject: RE: ISA 2004 REPORT FAILURE
| > | > > | Date: Sun, 10 Sep 2006 15:16:01 -0700
| > | > > | Lines: 321
| > | > > | Message-ID: <E656A05E-0C97-41F8-9AA8-DDFD556C1D43@xxxxxxxxxxxxx>
| > | > > | MIME-Version: 1.0
| > | > > | Content-Type: text/plain;
| > | > > | charset="Utf-8"
| > | > > | Content-Transfer-Encoding: 7bit
| > | > > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > > | Content-Class: urn:content-classes:message
| > | > > | Importance: normal
| > | > > | Priority: normal
| > | > > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > > | Newsgroups: microsoft.public.windows.server.sbs
| > | > > | Path: TK2MSFTNGXA01.phx.gbl
| > | > > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.windows.server.sbs:296551
| > | > > | NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| > | > > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > | > > |
| > | > > | Update after week end,
| > | > > | think I have found the problem
| > | > > | The NETWORK SERVICES permissions are missing
| > | > > | from the ISA folders.
| > | > > |
| > | > > | this is very strange as I specifically set NETWORK SERVICES
| > | > > | permissions from the program files root directory
| > | > > | before the week end.
| > | > > |
| > | > > | When I turn up Monday they have been removed by the system !!
| > | > > | and I have a S-1-5-32-547 user that was not there before
| > | > > |
| > | > > | Once NETWORK SERVICES permissions are set all is well
| > | > > | What could possibly be removing it and where does this
| > | > > | S-1-5-32-547 come from, solve this and the mystery is revelaed
| > | > > |
| > | > > | thanks.
| > | > > | Chris
| > | > > |
| > | > > | "Chris" wrote:
| > | > > |
| > | > > | > Just as an update, I have noticed that the log directories
| > | > > | > receive their user information from the directories above
| > | > > | > I had a probem removing the unknown user from the log
| > | > > | > directories.
| > | > > | >
| > | > > | > I went to the program files root directory, removed the
| > | > > | > unknown user and added network services to this directory
| > | > > | > therefore putting it to all directories below
| > | > > | >
| > | > > | > and guess what report publishing started to work fine
| > | > > | >
| > | > > | > I am going to check overnight and the week end to see
| > | > > | > if the report publishing stays enabled and if so well thats
great
| > | > > | >
|

.