Dam u beat me too it. I have seen strange stuff with uac on before that cant be explained by other means
Ed On Apr 23, 2015 10:03 AM, "Michael B. Smith" <[email protected]> wrote: > Grins/giggles – what happens if you turn off UAC? > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Webster > *Sent:* Thursday, April 23, 2015 9:57 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > It is using the ctxadmin account which is a DA and SQL SA account. We run > everything by right-click “Run as administrator”. > > > > Thanks > > > > > > Webster > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Ed Ziots > *Sent:* Thursday, April 23, 2015 8:44 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > Hopefully there is a debug routine that can be invoked to look at the api > calls. Also is there an application account in which the application runs > in that needs special or.elevated privs? > > On Apr 23, 2015 9:40 AM, "Webster" <[email protected]> wrote: > > Yep, Procmon was the first thing we did to troubleshoot. They found > nothing in the almost 10,000,000 lines. We have done Wireshark, Procmon, > their own internal code tracing stuff, sent them every log file, trace > file, dmp file and anything else I or they could think of. > > > > [I have no idea what I am saying in this next sentence] This vendor has > changed the management framework their software runs under that allowed > them to change their API and SDK so they can produce a “real” PowerShell > implementation. They really want me to test their new PoSH stuff. For some > strange reason they really want me to bless their new PoSH stuff. They also > want me to have a documentation script ready for this new product when it > is officially released using their new PoSH. Since I can’t get the product > to run, I can’t test the new PoSH stuff. > > > > The vendor has assigned three devs to work with me to get this issue > resolved. So I am really REALLY hoping it is not something in my AD that is > messing things up. They are spending a lot of resources to get this found > and fixed and I just hope the problem isn’t on my end. > > > > Thanks > > > > > > Webster > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ed Ziots > *Sent:* Thursday, April 23, 2015 8:23 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > Also.turn on file auditing when running.the application and look at its > processing via procmon > > This should help.debug.where the issue is if its a file permission problem > > Ed > > On Apr 23, 2015 9:19 AM, "Webster" <[email protected]> wrote: > > Yes, the PoSH session was elevated. Icacls is also being run from an > elevated command prompt. > > > > c:\>icacls.exe c:\ > > c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) > > BUILTIN\Administrators:(OI)(CI)(F) > > BUILTIN\Users:(OI)(CI)(RX) > > BUILTIN\Users:(CI)(S,AD) > > BUILTIN\Users:(CI)(IO)(S,WD) > > CREATOR OWNER:(OI)(CI)(IO)(F) > > > > Successfully processed 1 files; Failed processing 0 files > > > > c:\> > > > > I could not get the Get-GPOReport to work so I just went into GPMC and did > a backup of all GPOs into that folder and that worked. > > > > I am working with a vendor on a new version of one of their products. We > can get the current version of their product to work fine in my lab but the > new version refuses to run. It will install and let me configure it but the > product refuses to run. The vendor wants to recreate my lab as close as > they can so they wanted the GPO Reports. Guess they will have to work with > the backup instead. Of course I use a PoSH script to create my lab’s AD > structure and I sent them that script. > > > > I am just hoping I don’t have an intrinsic issue with my lab’s AD that is > causing issues with this vendor’s software. When I attempted to see if I > could recreate the issue with their new product on Server 2008 R2, GPResult > reported an unknown SID for the 2008 R2 server of S-1-18-1. I found the > hotfix for that, applied it to the 2008 R2 server but it made no difference > in being able to run the new software. > > > > The vendor is unable to repro the issue in their lab but it is 100% > reproducible in mine. I am running all 2012 R2 servers, FFL is 2012 R2 and > I am also using SQL 2014 (no SP1, stand-alone SQL server, no HA). > > > > Thanks > > > > > > Webster > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Michael B. Smith > *Sent:* Thursday, April 23, 2015 8:04 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > Notice those are all inherited rights. > > > > Notice also that UAC comes into play. > > > > Is your PowerShell session elevated? > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Thursday, April 23, 2015 8:53 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > c:\>icacls.exe c:\gporeports > > c:\gporeports CREATOR OWNER:(OI)(CI)(IO)(F) > > LabADDomain\ctxadmin:(OI)(CI)(F) > > BUILTIN\Users:(OI)(CI)(F) > > NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) > > BUILTIN\Administrators:(I)(OI)(CI)(F) > > BUILTIN\Users:(I)(OI)(CI)(RX) > > BUILTIN\Users:(I)(CI)(S,AD) > > BUILTIN\Users:(I)(CI)(S,WD) > > LabADDomain\ctxadmin:(I)(F) > > CREATOR OWNER:(I)(OI)(CI)(IO)(F) > > > > Successfully processed 1 files; Failed processing 0 files > > > > But: > > > > Windows PowerShell > > Copyright (C) 2014 Microsoft Corporation. All rights reserved. > > > > PS C:\Windows\system32> get-gporeport -All -ReportType HTML -Path > c:\GPOReports > > get-gporeport : Access to the path 'c:\GPOReports' is denied. > > At line:1 char:1 > > + get-gporeport -All -ReportType HTML -Path c:\GPOReports > > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > + CategoryInfo : NotSpecified: (:) [Get-GPOReport], > UnauthorizedAccessException > > + FullyQualifiedErrorId : > System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.GetGpoReportCommand > > > > PS C:\Windows\system32> > > > > Thanks > > > > > > Webster > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Michael B. Smith > *Sent:* Thursday, April 23, 2015 7:49 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > What does icacls.exe say about the folder? > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Thursday, April 23, 2015 8:44 AM > *To:* [email protected] > *Subject:* [NTSysADM] trying to find a thread about missing account(s) on > drive/folder ACE > > > > I have run into an issue in my lab where I can create a folder but cannot > create any files in the folder after the folder is created. I thought I > remembered a thread on this list earlier this year about a similar issue > and it was a missing account that needed to be added back. I can’t find > that thread. > > > > My lab is 2 2012R2 DCs and FFL of 2012 R2. All my servers are 2012 R2. > > > > Thanks > > > > > > Webster > > > >
