Thanks Willem - I was definitely thinking along the same
lines - especially rgd. removal of rights to the default policies and creating a
special group for it that's empty be default (similar to leaving the Schema
Admins empty, which I always do until it's required for
something).
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Willem Kasdorp Sent: Monday, November 08, 2004 4:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - Registry Security I have had similar
issues before at customer sites with apps modifying the DDP and DDCP, although
none this bad. ADMT is a notorious offender. I am seriously tempted to fix
it in the following way: -
create a
new DDP/DDCP (new name of course) with highest prio. Edit any additional
settings in the new policies. -
Remove
write for Domain Admins on the DDP/DDCP, and instead create an additional group
for write permissions. This group is empty by
default. This story might just
trigger me to do it… --
Regards, Willem From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Grillenmeier,
Guido Hello
folks, I've just had a very
curious issue at a customer, which took us a while to figure out. You should all
be aware of this as it could hurt you as well. After testing everything
successfully in the lab (and ADPREPing the production forest + domains), we've
inplace-upgraded the first production DC from Win2000 to Win2003 and it failed
with errors such as a crashing LSASS and a DHCP service, which couldn't start
due to access violation etc. It turns out that
this was caused due to a lengthy list of policy settings on the
Def Domain and Def DC Policy, which configured Security (ACL)
over one hundred registry keys and File
System folders
and files. The
resulting permissions were ok for Windows 2000, but incompatible
with Windows Server 2003 - e.g. the DHCP Client Service and the TCPIP Service
require specific permissions on their respective registry keys for the DHCP
service to start via the new Network
Service account. I see other's in
this list have also had issues with the DCHP service, which may be related
to the same thing. Although we
now fixed the issue by cleaning the policies and un-promoting the DC and
reinstalling it from scratch (since the 2003 OS's default permissions were
effectively overwritten due to the policy), I am looking for
clues on how these weird settings were introduced to the Def Dom and
the Def DC policy in the first place? The
settings were definitely not added manually "by accident" - more
likely by some whacky setup routine. Does anybody have an ideas
or experience with respect to services/apps which could have changed the domain
policies in this way? Thanks for any
feedback, Guido |
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgrade - ... Grillenmeier, Guido
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Darren Mar-Elia
- [ActiveDir] XP SP2 and AD Za Vue
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Salandra, Justin A.
- [ActiveDir] AD Replication over VPN Lou Vega
- RE: [ActiveDir] AD Replication over VPN Paul van Geldrop
- RE: [ActiveDir] AD Replication over V... Paul van Geldrop
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Grillenmeier, Guido
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Guy Teverovsky
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Grillenmeier, Guido
- RE: [ActiveDir] Issues with Win 2k3 Inplace Upgra... Fugleberg, David A