Yep, Procmon was the first thing we did to troubleshoot. They found nothing in the almost 10,000,000 lines. We have done Wireshark, Procmon, their own internal code tracing stuff, sent them every log file, trace file, dmp file and anything else I or they could think of.
[I have no idea what I am saying in this next sentence] This vendor has changed the management framework their software runs under that allowed them to change their API and SDK so they can produce a “real” PowerShell implementation. They really want me to test their new PoSH stuff. For some strange reason they really want me to bless their new PoSH stuff. They also want me to have a documentation script ready for this new product when it is officially released using their new PoSH. Since I can’t get the product to run, I can’t test the new PoSH stuff. The vendor has assigned three devs to work with me to get this issue resolved. So I am really REALLY hoping it is not something in my AD that is messing things up. They are spending a lot of resources to get this found and fixed and I just hope the problem isn’t on my end. Thanks Webster From: [email protected] [mailto:[email protected]] On Behalf Of Ed Ziots Sent: Thursday, April 23, 2015 8:23 AM To: [email protected] Subject: Re: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE Also.turn on file auditing when running.the application and look at its processing via procmon This should help.debug.where the issue is if its a file permission problem Ed On Apr 23, 2015 9:19 AM, "Webster" <[email protected]<mailto:[email protected]>> wrote: Yes, the PoSH session was elevated. Icacls is also being run from an elevated command prompt. c:\>icacls.exe c:\ c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) BUILTIN\Users:(CI)(S,AD) BUILTIN\Users:(CI)(IO)(S,WD) CREATOR OWNER:(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files c:\> I could not get the Get-GPOReport to work so I just went into GPMC and did a backup of all GPOs into that folder and that worked. I am working with a vendor on a new version of one of their products. We can get the current version of their product to work fine in my lab but the new version refuses to run. It will install and let me configure it but the product refuses to run. The vendor wants to recreate my lab as close as they can so they wanted the GPO Reports. Guess they will have to work with the backup instead. Of course I use a PoSH script to create my lab’s AD structure and I sent them that script. I am just hoping I don’t have an intrinsic issue with my lab’s AD that is causing issues with this vendor’s software. When I attempted to see if I could recreate the issue with their new product on Server 2008 R2, GPResult reported an unknown SID for the 2008 R2 server of S-1-18-1. I found the hotfix for that, applied it to the 2008 R2 server but it made no difference in being able to run the new software. The vendor is unable to repro the issue in their lab but it is 100% reproducible in mine. I am running all 2012 R2 servers, FFL is 2012 R2 and I am also using SQL 2014 (no SP1, stand-alone SQL server, no HA). Thanks Webster From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael B. Smith Sent: Thursday, April 23, 2015 8:04 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE Notice those are all inherited rights. Notice also that UAC comes into play. Is your PowerShell session elevated? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Thursday, April 23, 2015 8:53 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE c:\>icacls.exe c:\gporeports c:\gporeports CREATOR OWNER:(OI)(CI)(IO)(F) LabADDomain\ctxadmin:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(F) BUILTIN\Users:(I)(OI)(CI)(RX) BUILTIN\Users:(I)(CI)(S,AD) BUILTIN\Users:(I)(CI)(S,WD) LabADDomain\ctxadmin:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files But: Windows PowerShell Copyright (C) 2014 Microsoft Corporation. All rights reserved. PS C:\Windows\system32> get-gporeport -All -ReportType HTML -Path c:\GPOReports get-gporeport : Access to the path 'c:\GPOReports' is denied. At line:1 char:1 + get-gporeport -All -ReportType HTML -Path c:\GPOReports + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Get-GPOReport], UnauthorizedAccessException + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.GetGpoReportCommand PS C:\Windows\system32> Thanks Webster From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, April 23, 2015 7:49 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: trying to find a thread about missing account(s) on drive/folder ACE What does icacls.exe say about the folder? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Webster Sent: Thursday, April 23, 2015 8:44 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] trying to find a thread about missing account(s) on drive/folder ACE I have run into an issue in my lab where I can create a folder but cannot create any files in the folder after the folder is created. I thought I remembered a thread on this list earlier this year about a similar issue and it was a missing account that needed to be added back. I can’t find that thread. My lab is 2 2012R2 DCs and FFL of 2012 R2. All my servers are 2012 R2. Thanks Webster
