Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Security / General Topics / October 2005

Tip: Looking for answers? Try searching our database.

Auth Users constantly removed from WUAUSERV security descriptor

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
DaveC - 24 Oct 2005 18:06 GMT
I'm trying to find out what is causing this to happen on several of my
machines (all XP/SP2).  Is there a known application or combination of
settings which causes this?  I consistently find that I have to reset the
security descriptor on the WUAUSERV service back to default (as per KB883821)
so that AU have permission to run various Windows Update applications
(including the update site, MBSA, etc...).

Appreciate any comments.  Thanks!
Reply to this Message
Roger Abell [MVP] - 25 Oct 2005 06:32 GMT
I am going to assume that you mean, as said, service ACL as set with
the referenced KB's method 2 for 0x800A0046
If this is so, use GPMC to look at the resultant set of policy for machices
with this affliction, particularly look to see if any GPO is setting the
properties
for this service (which includes startup nature and the ACL).

Signature

Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA,  MCSE W2k3+W2k+Nt4

> I'm trying to find out what is causing this to happen on several of my
> machines (all XP/SP2).  Is there a known application or combination of
[quoted text clipped - 5 lines]
>
> Appreciate any comments.  Thanks!
Reply to this Message
DaveC - 28 Oct 2005 19:02 GMT
Bingo!  Thanks Roger.  This pointed me to the answer, but unfortunately leads
to more questions if you don't mind?

OK, so we DO have a GPO which specifies that WUAUSERV should be set to
start=automatic, and the specified ACL, in SDDL, is here:

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)

Note: That ACL above is the DEFAULT ACL supplied by GPEDIT/GPMC when you
specify to set this service to AUTOMATIC.

Once upon a time, someone in our org. had DISABLED the WUAUSERV, so we
needed to reverse that change by turning it on, and left the ACL at default.

My questions then --> Is the ACL specified in KB883821 [for WUAUSERV]
supposed to be the default??  Or is the one supplied by GPEDIT supposed to be
the default, because THEY ARE DIFFERENT, and it seems the one supplied by the
editor is not correct because AU does not have an ACE.  Not sure why AU
actually needs an ACE in this instance, but I'll get to that one later!

Thanks!
DaveC

> I am going to assume that you mean, as said, service ACL as set with
> the referenced KB's method 2 for 0x800A0046
[quoted text clipped - 12 lines]
> >
> > Appreciate any comments.  Thanks!
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.