Tag Archive: permissions


Reference: https://blogs.technet.microsoft.com/askds/2011/07/28/troubleshooting-sid-translation-failures-from-the-obvious-to-the-not-so-obvious/

https://www.microsoft.com/en-US/download/details.aspx?id=53314

How Domain and Forest trusts work: https://technet.microsoft.com/en-us/library/cc757352(v=ws.10).aspx

EMC ISILON SID translation errors: https://community.emc.com/thread/177333?tstart=0

 

Actions to do:

Check Trust relationships

Check Firewall logs and use portqry to test ports required. Also use nltest; netdom command lines.

Check GPO: Network access: Allow anonymous SID/Name translation

and  The following groups have the “Access this Computer from the Network” permission on domain controllers by default:

Administrators
Authenticated Users
Everyone

Which permissions rights does a user need to have WMI access on remote Machines:

http://serverfault.com/questions/28520/which-permissions-rights-does-a-user-need-to-have-wmi-access-on-remote-machines

The following works on Window 2003 R2 SP 2, Windows Server 2012 R2:

Add the user(s) in question to the Performance Monitor Users group
Under Services and Applications, bring up the properties dialog of WMI Control (or run wmimgmt.msc).

In the Security tab, highlight Root/CIMV2, click Security; add Performance Monitor Users and enable the options : Enable Account and Remote Enable
Run dcomcnfg.

At Component Services > Computers > My Computer, in the COM security tab of the Properties dialog click “Edit Limits” for both Access Permissions and Launch and Activation Permissions.

Add Performance Monitor Users and allow remote access, remote launch, and remote activation.
Select Windows Management Instrumentation under Component Services > Computers > My Computer > DCOM Config and give Remote Launch and Remote Activation privileges to Performance Monitor Users Group.

Notes:

As an alternatively to step 3 and 4, one can assign the user to the group Distributed COM Users (Tested on Windows Server 2012 R2)
If the user needs access to all the namespaces, you can set the settings in 2. at the Root level, and recurse the permissions to the sub-namespaces via the Advanced window in Security

 

Other method with dcomperm and wmisecurity with a dedicated group called myDomain\wmiquery-users :

dcomperm -ma set myDomain\wmiquery-users permit level:l,r

dcomperm -ml set myDomain\wmiquery-users permit level:ll,la,rl,ra

dcomperm -dl remove myDomain\wmiquery-users permit level:ll,la,rl,ra

WmiSecurity /C=$Env:COMPUTERNAME /A /N=Root /M=”myDomain\wmiquery-users:REMOTEACCESS_EXECMETHODS” /R

WmiSecurity /C=$Env:COMPUTERNAME /A /N=Root /M=”myDomain\wmiquery-users:REMOTEACCESS_EXECMETHODS” /R

 

AD object permissions:

http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm

http://technet.microsoft.com/en-us/library/cc740104(v=ws.10).aspx

 

How to hide AD data:

part 1: http://windowsitpro.com/active-directory/hiding-data-active-directory

part 2: http://windowsitpro.com/active-directory/hiding-active-directory-objects-and-attributes

part 3: http://windowsitpro.com/active-directory/hiding-data-active-directory-part-3-enabling-list-object-mode-forest

part 4: http://windowsitpro.com/active-directory/using-confidentiality-bit-hide-data-active-directory

 

 

 

AD permissions – How Rights are Evaluated ?
Two types of rights exist: permissions (authorization to do something such as read or reset a password on a specific object) and privileges or user rights (authorization to do something, like log on or add users, that affects an entire computer rather than a specific object). Similar to the evaluation of file system access control, the right to access or use AD objects is determined by the security context attached to the application that attempts the access. When users authenticate to a system, the authorization information (their SID, SIDs of groups they belong to, and privileges) they’ve been given is collected and later used to create an access token. The access token is used when they attempt to gain access to some object. Programmatically, an access token can be created using the security context of some other security principal, say, the operating system, and used instead during the applications processing. When the application requires the use of some file system, operating system or AD object, the information in its access token is compared with that in the security descriptor of the object. If a match occurs, and no explicit Deny permission exists, access is granted. If no match occurs, or the explicit Deny exists, the requested access is denied.

Right Description
DELETE Delete object.
READ_CONTROL Read security descriptor information (doesn’t include the right to read the SACL).
WRITE_DAC Modify DACL in object’s security descriptor.
WRITE_OWNER Assume ownership of object.
SYNCHRONIZE Use object of synchronization. A thread (the small executable portion of a process) can wait until the object is in the signaled state.
ACCESS_SYSTEM_SECURITY Get or Set SACL.
GENERIC_READ Read security descriptor, examine object and children and read all properties.
GENERIC_WRITE Write properties and write DACL. Add and remove object from directory.
GENERIC_EXECUTE List children of object.
GENERIC_ALL Create or delete children, delete subtree, Read and Write properties, examine children and object, add and remove object from directory, Read or Write with extended right.
DS_CREATE_CHILD Create children (the ACE can specify child object type that can be created. If it doesn’t, this right allows creation of all child object types).
DS_DELETE_CHILD Delete children (the ACE can specify the child object type that can be deleted. If it doesn’t, this right allows deletion of all child object types).
DS_ACTRL_DS_LIST List children of object.
DS_SELF Modify group membership of group object.
DS_READ_PROP Read properties of object (ACE can specify property that can be read. If it doesn’t, this right allows reading of all properties).
DS_WRITE_PROP Write properties (ACE can specify property that can be written. If it doesn’t, this right allows writing of all properties).
DS_DELETE_TREE Delete all children of object, regardless of permission on object.
DS_LIST_OBJECT List a particular object (if not granted to a user, the object is hidden from user).
DS_CONTROL_ACCESS Right to perform operation covered by an extended access right-either a specific extended right or by omission all extended rights.
Additional standard access rights not available on all objects. The list and descriptions come from the Platform SDK documentation.

 

 

NTFS Inheritance Choices AD Comparable Setting AD Differences
This folder only. This object only (Effective ACL).
This folder, subfolders and files. This object and all child objects
This folder and subfolders. Each object is specified.
This folder and files. Each object is specified.
Subfolders and files only. Child objects only (Inherit ACLs).
Subfolders only. Each object is specified.
Files only. Each object is specified.
A comparison of NTFS and AD Inheritance Choices

 

 

How to reset NTFS permissions on System drive on Windows 7 or Windows 2008 R2 ?

After Win 2008 R2 was installed, some files on drive C: were not accessible anymore and I was getting “Access Denied”

I tried to right-click/properties on the folders that were not accessible and changed their owner and changed permissions but still some folders were still inaccessible not matter what I did. After some research, it turned out the tool “cacls” that allows one to display or change ACLs (access control lists) can help to reset ACLs.

In Windows 7 or 2008 R2 it is called “icalcs”. To reset files permissions:

1. Run “cmd” as Administrator

2. Go to the drive or folder in question, for example:

cd /d c:

cd /d d:

3. To reset all the files permissions, type:

icacls * /t /q /c /reset

The Microsoft TechNet site has documentation for the icacls command

4. And that’s it!

After that, the files permissions were reset and I could access them back again.

Update:

It is possible that “icacls” might fail. For that try to take ownership of the files first.

Just before Step (3), please type the following command:

takeown /r /f *

The objective is to allow WMI queries on a computer for a non-admin user/group ?

the group to allow is mydomain\wmiquery-users

the scripts requires, dcomperm.exe and wmisecurity.exe

Authorize WMI users and set Permissions on Win7, Win2008 R2:http://technet.microsoft.com/en-us/library/cc771551.aspx

example of PS code:http://unlockpowershell.wordpress.com/2009/11/20/script-remote-dcom-wmi-access-for-a-domain-user/

Download the wmisecurity.exe from codeproject site:http://www.codeproject.com/KB/system/WmiSecurity.aspx

Download the dcomperm.exe from: http://cid-62b84429c3a8a991.skydrive.live.com/self.aspx/SharePoint/DComPerm.zip

 1st step: Set up DCOM permissions:

@echo off
CLS
echo.
echo Windows computers – Set up DCOM Permissions – Oct 2011
echo __________________________________________________________________________________
echo.
==========================================================================>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Show current DCOM permissinos – current values on %computername% BEFORE…
echo List machine access permission list…
dcomperm -ma list
echo List machine launch permission list…
dcomperm -ml list
echo List machine default permission list…
dcomperm -dl list
echo.
echo Show current DCOM permissinos – current values on %computername% BEFORE…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
pause
echo.
echo ————————————————————————
echo Set new DCOM permissions – new values on %computername%…
echo Set machine access permission list…
dcomperm -ma set MYDOMAIN\wmiquery-users permit level:l,r
echo Set machine launch permission list…
dcomperm -ml set MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra
echo Set machine default permission list…
dcomperm -dl remove MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra
echo.
echo Set new DCOM permissions – new values on %computername%…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma set MYDOMAIN\wmiquery-users permit level:l,r >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml set MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo Set machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -dl remove MYDOMAIN\wmiquery-users permit level:ll,la,rl,ra >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo.
echo ————————————————————————-
echo Show current DCOM permissinos – current values on %computername% AFTER…
echo List machine access permission list…
dcomperm -ma list
echo List machine launch permission list…
dcomperm -ml list
echo List machine default permission list…
dcomperm -dl list
echo.
echo Show current DCOM permissinos – current values on %computername% AFTER…>>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine access permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ma list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine launch permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo List machine default permission list…>>.\logs\Set-DCOM-Permissions_%computername%.txt
dcomperm -ml list >>.\logs\Set-DCOM-Permissions_%computername%.txt
echo.
goto end
:end

2nd step: Set up WMI Security:

@echo off
CLS
echo.
echo Windows computers – Set up WMI Security – Oct 2011
echo _________________________________________________________________________
echo.
echo ————————————————————————————->.\logs\Set-WMISecurity_%computername%.txt
echo Set up WMI Security on %computername%…>>.\logs\Set-WMISecurity_%computername%.txt
WmiSecurity /C=%computername% /A /N=Root /M=”MYDOMAIN\wmiquery-users:REMOTEACCESS” /R
WmiSecurity /C=%computername% /A /N=Root /M=”MYDOMAIN\wmiquery-users:REMOTEACCESS” /R >>.\logs\Set-WMISecurity_%computername%.txt

goto end
:end