Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Owner is in Administrators group, but can't administrate


  • Please log in to reply
19 replies to this topic

#1 rtxx

rtxx

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 25 September 2010 - 07:53 PM

While in the Owner account of my XP Pro SP3 computer, I was messing around with file/folder/hard disk NTFS permissions. Out of ignorance I did SOMETHING that is now keeping the Owner from doing anything that is restricted to administrators. As Owner, I can't even start a new text file on the desktop, let alone make other changes. What I did that probably led to this was change hard drive ownership (from Administrators to Owner) and change various permissions for the file system.

There is another admin account where I can go in and make changes, but nothing I have done restores the Owner. I must be missing something obvious -which is expected, since I'm a beginner at this. I hope so, since then it might still be an easy fix
Owner is definitely in the Administrators group. System restore didn't fix it. I've gone through the file system, setting permissions as they are on my other XP computer, but it didn't fix it. I don't want to use the Security Configuration and Analysis tool to restore everything according to a standard template if I can avoid it (since the templates are different from how I want it), but I've used this tool to do an analysis, and then went through making corrections to everything that was highlighted except the registry (so I went all through the Policies, Restricted Groups, System Services, and File System entries displayed in the results of the Analysis). At the same time I added permissions for Owner (full control) to many of those highlighted entries. Didn't fix it.

I do have a backup image of the hard drive I can revert to, but that is from several days ago, and I have done EXTENSIVE rearranging of files and installed some new programs since then, so I want to avoid going back to that if I possibly can. (The thing is, I have moved files around between 3 different computers, so I'd have to probably restore all 3 computers and then do all the re-arranging and installing all over again.) But I can if I have to.

(It all started because I was trying to figure out why another computer in the workgroup could see files on this computer for which they did not have permission- still haven't figured that one out.)

Thanks!

Edited by rtxx, 25 September 2010 - 07:54 PM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:52 AM

Posted 25 September 2010 - 08:30 PM

If you want to restore the default permissions in XP Pro, Look Here. See Resetting the Registry and File Permissions.

Louis

#3 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 25 September 2010 - 09:45 PM

Interesting hamluis. You should note that the difference between the two methods.

The secedit.exe method restores only the registry keys and filesystem permissions that were created when windows was initially set up. This won't give access to areas that aren't created when windows installation is done, such as a user profile.

The subinacl.exe method will grant the administrators and system groups full permissions to every file and folder on your system drive and every key in the HLKM, HKU, and HCR hives. This may not be desired as it gives Administrators access to areas they normally wouldn't, such as the System Volume Information folder which contains the system restore points and such.

Edit: If you're using XP Pro, I'd try the secedit solution first as it's quicker and less invasive. If your problem isn't resolved then try the subinacl method. It will take MUCH longer to complete.

Edited by Gabrial, 25 September 2010 - 09:47 PM.


#4 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 26 September 2010 - 05:49 PM

Thanks for the suggestions

I'd rather not use a sledgehammer if I can avoid it, would rather narrow down the range of things to make changes to. You're right, I don't need to be giving out full control of SAM etc.
Can anyone suggest specific items I should look into that would cause this behavior, preventing a specific Owner account from e.g. changing the desktop or accessing the Local Security Policy, even though the Owner is listed as having full permissions?

Two big clues:
1) the owner IS listed in the administrators group, and can do some administrator tasks. And other administrator accounts function properly.
1.1) also, the owner is also now specifically added to security rights of most files and folders with full control permission. Unless I missed something important...
2) System restore didn't fix it, which suggests to me it's not a registry issue (right?).


So what ever sledgehammer I use, it seems I don't need to use it on the registry, correct?
For instance, if I use the SubinACL method from here
http://www.winhelponline.com/blog/reset-th...-in-windows-xp/
I assume can use the reset.cmd batch file without the 3 lines referring to the registry?
(I suppose I can limit what secedit does, but I haven't yet looked into it to see what command to use, because instead I tried the less invasive Security Configuration and Analysis tool)

Can the likely issues be narrowed down any further?

As mentioned in the original post, I prefer to avoid using the default Security Templates since they differ in some details from the settings I want. Again, if possible it would be better to narrow down the things I am changing. With that in mind, rather than use SECEDIT.EXE, isn't it reasonable to use the Security Configuration and Analysis tool described here
http://www.microsoft.com/resources/documen...e.mspx?mfr=true
and just run an ANALYSIS, then change specific items that are highlighted as having inappropriate settings?
Well, that's what I did (focusing on the file system issues rather than the registry, and setting the permissions to be similar to what is given for the same folder in my other XP computer), and again it didn't fix the problem. or maybe I just didn't do it right. What else could be the problem?

Is it correct that any changes made by secedit or subinacls [excepting changes made to the file system] can be reversed by a system restore? If so, since a restore didn't fix it, that again suggests focusing specifically on the file system when using those tools, right?

#5 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 26 September 2010 - 05:59 PM

Well, for starters, what are the file permissions on the desktop?

can you post the output of:

cd %USERPROFILE%
cacls.exe Desktop

Edited by Gabrial, 26 September 2010 - 06:00 PM.


#6 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 26 September 2010 - 06:21 PM

Owner has full control indicated in 'effective permissions'

output of cacls.exe Desktop:
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)(IO)(special access:)

DELETE
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES

AQ\Owner:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F

#7 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 26 September 2010 - 06:23 PM

WTF? I can't even use MS Office any more, which was installed on the computer by previous owner, and I don't have the disks.

#8 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 26 September 2010 - 06:28 PM

So did you change ownership of the file to another account?

#9 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 26 September 2010 - 07:17 PM

Good catch, Gabrial. I've been paying more attention to permissions than to ownership, and up to your comment I had ownership of Owner's documents and settings listed under 'Administrators' . So I've now changed it so that Owner has taken ownership of all subfolders of C:\Documents and Settings\Owner.
However, that doesn't fix the problem.

#10 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 26 September 2010 - 07:41 PM

Do you have access to a reference machine and check to see who the Owner should be in the profile directory? I'm on a FAT32 box or I'd check for you.

Edit: Also, if you can get access to an XP Pro, or a Win2k box you can copy the secedit.exe from the other system (it's called secedit32.exe on win2k) and use it to restore the default registry permissions only, by use of the additional command line option:

/areas REGKEYS

That way you can make sure your registry settings are permissive enough.

Edited by Gabrial, 26 September 2010 - 07:45 PM.


#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:52 PM

Posted 26 September 2010 - 10:04 PM

On Windows XP there are 2 accounts generated one is the True Administrator created at install, and one user created at post install. The post install account will be part of the administrator group by default, but will be limited on what that account can do and cannot do.

That could explain why you are seeing owner part of the administrator group. If you need to change the permissions you will need to log into the true administrator account, and change up the permissions that way.

Do you know what you did prior to encountering this issue?

What tool did you mess with when experimenting with the permissions?

#12 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 27 September 2010 - 12:37 PM

Cryptodan, the Builtin administrator IS available and I HAVE been using it to change settings to the Owner account. The problem is that I haven't yet come across the setting that fixes the issue. The Owner in this case is SUPPOSED to be an administrator. What I'm trying to find out is why is the Owner, despite being an admin, suddenly unable to do things that any administrator can do, and that the Owner used to be able to do?

Unfortunately I don't remember exactly all that I did to cause this, probably changed several settings that didn't have an effect until I rebooted. Right after it happened I probably thought I would never forget it, but then each thing I tried in order to set it back never worked, and my memory of just before it happened is not clear any more. However I was using Windows Explorer, nothing else, to mess with ownership and permissions. I did set ownership of c:\ )(including Subcontainers & Objects) to be Owner instead of Administrators. However I have set that back to Administrators including Subcontainers & Objects), and now have Owner's docs & settings specifically owned by Owner. Are there other folders /files that Owner needs to own?


Gabrial, yes I do have a 2nd XP SP3 in the workgroup, and I have been using it as a template to manually change permissions etc on the damaged machine so that they match the 2nd XP. I haven't looked at every folder, just the ones I thought were important or were highlighted as MISMATCHED by the Security Configuration and Analysis tool. And as mentioned in an earlier post, after I set ownership of all files to Administrators I forgot to set the Owner's documents & settings folders to Owner, until you reminded me (but that hasn't fixed the problem).

Thanks for pointing out usage of secedit for an area at a time. So you don't agree with my logic that it's probably NOT an issue with the registry but with the file system (AKA /areas FILESTORE)? Or were you just pointing out /areas REGKEYS as an example of how areas can be addressed one at a time?

I've tried using secedit /analyze /db FileName [/cfg FileName] , but the result was a help screen, which I guess means I made a syntax error. I haven't taken time yet to see what error I may have made (still a newbie).

I still question why secedit would work better than the Security Configuration and Analysis tool described here
http://www.microsoft.com/resources/documen...e.mspx?mfr=true
since they both compare current settings against the SAME default templates (which are not specifically adapted to my setup). (I do compare what is highlighted on the broken computer with the same settings on my other XP, and usually the two are identical, meaning the default template *IS DIFFERENT* from the original state of the computer.) I have compared against both Setup security.inf and Compatws.inf templates.
If I make global changes then I'll probably have to reset some of them. Makes more sense to me to have the tool highlight MISMATCHES and then manually check one by one to see if the mismatched item in fact matches the same item on the 2nd XP computer.
It seems to me that the main advantage of using secedit to make global changes according to the template is IN CASE I omitted something important when going through it manually -which I admit is possible.


But SINCE a system restore (to two days before the issue) doesn't fix it, doesn't that mean we can rule out an issue with USER_RIGHTS, REGKEYS, & probably SERVICES? So whether I use secedit or the Security Configuration and Analysis tool to make global changes, I should only need to run it on the file system? I think this is an important clue, and an important question. I don't know the specifics of what is covered /not covered by a system restore, but I see it includes the Local User Profile as well as the registry.

#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:52 PM

Posted 27 September 2010 - 12:41 PM

Can you create a new administrative account and see if it exhibits the same issues as the Owner account?

#14 Gabrial

Gabrial

  • Members
  • 468 posts
  • OFFLINE
  •  
  • Local time:11:52 AM

Posted 27 September 2010 - 12:45 PM

Secedit has alot of limitations actually. I'm not familiar with the Security Configuration and Analysis tool you are working with, and since I'm not a FAT32 system playing with it isn't probably going to do alot to educate myself on it right now.

But, let me ask you this, can you export a template from the known working system and use the tool to compare your faulty system to that template?

And, yes, we are likely looking at a filesystem permissions/ownership issue.

#15 rtxx

rtxx
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 27 September 2010 - 01:19 PM

Cryptodan, there is another admin account aside from Builtin admin & Owner, and it is not compromised. The problem is specific to Owner.

Gabrial, why import? The compromised computer has all the default templates, dated 2004 except for setup security.inf (specific to the machine as built) dated 2006. The 2nd XP has the same templates dated 2003. There's no reason to think the templates on the damaged computer are corrupted, right?

After I back the computer up again, I'll run secedit as described here
http://www.winhelponline.com/blog/reset-th...-in-windows-xp/
but with /areas FILESTORE
Hopefully that'll do it. We'll see.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users