| Author |
Message |
Jan
Guest
|
 Posted:
Mon Dec 13, 2004 4:39 pm Post subject:
Routing and Remote Access |
|
|
A while ago whe had a security audit on our windows servers. As a result of
that my collegue applied a lot of changes in the Group Polcies. Today I
found out that some of these changes affect Routing and Remote access. When
I start the management console for RAS I get an error "access denied". My
collegue doesn't know which of the changes he made affect RAS. I think it
has something to do with the local security policy. Can someone help me? If
you need more info, tell me! |
|
| Back to top |
|
 |
S. Pidgorny
Guest
|
| Posted:
Mon Dec 13, 2004 5:47 pm Post subject:
Re: Routing and Remote Access |
|
|
Local security policy has changed as a result of the domain changes. Can yu
elaborate on "Access denied" - is it for MMC snap-in or anything else? The
way to check is to start mmc.exe and add Routing and Remote Access snap-in.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Jan" <bril@ja.nt> wrote in message
news:ewhbJAQ4EHA.3840@tk2msftngp13.phx.gbl...
| Quote: | A while ago whe had a security audit on our windows servers. As a result
of
that my collegue applied a lot of changes in the Group Polcies. Today I
found out that some of these changes affect Routing and Remote access.
When
I start the management console for RAS I get an error "access denied". My
collegue doesn't know which of the changes he made affect RAS. I think it
has something to do with the local security policy. Can someone help me?
If
you need more info, tell me!
|
|
|
| Back to top |
|
|
Jan
Guest
|
| Posted:
Mon Dec 13, 2004 7:44 pm Post subject:
Re: Routing and Remote Access |
|
|
The Access denied is for the snap-in. After pressing the Ok button I can see
the server node which is green but I have no sub-nodes. Clicking on the
server node will again activate the error access denied. The server is up
and running but I access the configuration. When I delete the server and
install it through the wizard everything works fine until I start the
snap-in.
When I look at the security log I can see the following error:
===========================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 13-12-2004
Time: 11:37:13
User: VSH-GROUP\admin
Computer: PRG2
Description:
Object Open:
Object Server: Security
Object Type: Event
Object Name: \BaseNamedObjects\crypt32LogoffEvent
Handle ID: -
Operation ID: {0,671453}
Process ID: 2720
Image File Name: C:\WINDOWS\system32\mmc.exe
Primary User Name: admin
Primary Domain: VSH-GROUP
Primary Logon ID: (0x0,0x10161)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
Query event state
Modify event state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1F0003
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
===========================================================
I hope this info is usefull.
Regards
Jan
"S. Pidgorny <MVP>" <slavickp@yahoo.com> schreef in bericht
news:%23ukKSmQ4EHA.936@TK2MSFTNGP12.phx.gbl...
| Quote: | Local security policy has changed as a result of the domain changes. Can
yu
elaborate on "Access denied" - is it for MMC snap-in or anything else? The
way to check is to start mmc.exe and add Routing and Remote Access
snap-in.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Jan" <bril@ja.nt> wrote in message
news:ewhbJAQ4EHA.3840@tk2msftngp13.phx.gbl...
A while ago whe had a security audit on our windows servers. As a result
of
that my collegue applied a lot of changes in the Group Polcies. Today I
found out that some of these changes affect Routing and Remote access.
When
I start the management console for RAS I get an error "access denied". My
collegue doesn't know which of the changes he made affect RAS. I think it
has something to do with the local security policy. Can someone help me?
If
you need more info, tell me!
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Dec 14, 2004 9:08 am Post subject:
Re: Routing and Remote Access |
|
|
Doesn't know what changes? - Yikes.
First thing I would try is to logon to the server as local administrator
[not domain users] assuming it is not a domain controller. If that works,
then you have some user configuration Group Policy applied to you from the
domain/OU. If it still does not work, it could be a Local Group Policy
setting via gpedit.msc. Using the gpresult user tool will show what Group
Policies are applied to a user and computer and the last time the policy was
applied. The /v switch will give much more detail. If you are using Windows
2003 or have an XP Pro computer in a W2K domain you can use the Group Policy
management Console and RSOP in the logging mode to find exactly what policy
settings are applying to a user on a particular computer and the source GPO.
You can download GPMC at the link below if you are not using it already. All
or particular Management Consoles can be denied to a domain user and that
also can apply to domain administrators if the GPO applies to all users.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
Also check that you have property ntfs permissions to the mmc.exe file. As
far as security policy if you are having problem accessing a Remote Access
server while logged onto it you may be lacking privileges. You can enable
auditing of privileges for failure on the server itself and view the
security log for failure for privilege use. You can modify user right
assignments in the appropriate security policy under security settings/local
policies/user rights. If you can not access a remote server from the Remote
Access Management Console it could be an incompatible security option and/or
lack of privilege. If still having difficulties use the Security
Configuration and Analysis mmc snapin on the Remote Access Server and run it
against the setup security.inf template to see where the local applied
policy settings differs from the setup security.inf . In particular look at
user rights, security options [ additional restrictions for anonymous
connections, lan manger authentication level, or any setting with "always"
in it and enabled are possibly very suspect] , and services as differences
in those categories could be your problem. Also verify that the remote
registry service is running on your Remote Access servers. --- Steve
"Jan" <bril@ja.nt> wrote in message
news:ewhbJAQ4EHA.3840@tk2msftngp13.phx.gbl...
| Quote: | A while ago whe had a security audit on our windows servers. As a result of
that my collegue applied a lot of changes in the Group Polcies. Today I
found out that some of these changes affect Routing and Remote access. When
I start the management console for RAS I get an error "access denied". My
collegue doesn't know which of the changes he made affect RAS. I think it
has something to do with the local security policy. Can someone help me? If
you need more info, tell me!
|
|
|
| Back to top |
|
|
Jan
Guest
|
| Posted:
Tue Dec 14, 2004 2:28 pm Post subject:
Re: Routing and Remote Access |
|
|
Thanks for the input! I have enough options to check. I hope it will solve
the problem.
Regards
Jan
"Steven L Umbach" <n9rou@nospam-comcast.net> schreef in bericht
news:eJJrPmY4EHA.2156@TK2MSFTNGP10.phx.gbl...
| Quote: | Doesn't know what changes? - Yikes.
First thing I would try is to logon to the server as local administrator
[not domain users] assuming it is not a domain controller. If that works,
then you have some user configuration Group Policy applied to you from the
domain/OU. If it still does not work, it could be a Local Group Policy
setting via gpedit.msc. Using the gpresult user tool will show what Group
Policies are applied to a user and computer and the last time the policy
was applied. The /v switch will give much more detail. If you are using
Windows 2003 or have an XP Pro computer in a W2K domain you can use the
Group Policy management Console and RSOP in the logging mode to find
exactly what policy settings are applying to a user on a particular
computer and the source GPO. You can download GPMC at the link below if
you are not using it already. All or particular Management Consoles can be
denied to a domain user and that also can apply to domain administrators
if the GPO applies to all users.
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
Also check that you have property ntfs permissions to the mmc.exe file. As
far as security policy if you are having problem accessing a Remote Access
server while logged onto it you may be lacking privileges. You can enable
auditing of privileges for failure on the server itself and view the
security log for failure for privilege use. You can modify user right
assignments in the appropriate security policy under security
settings/local policies/user rights. If you can not access a remote server
from the Remote Access Management Console it could be an incompatible
security option and/or lack of privilege. If still having difficulties use
the Security Configuration and Analysis mmc snapin on the Remote Access
Server and run it against the setup security.inf template to see where the
local applied policy settings differs from the setup security.inf . In
particular look at user rights, security options [ additional restrictions
for anonymous connections, lan manger authentication level, or any setting
with "always" in it and enabled are possibly very suspect] , and services
as differences in those categories could be your problem. Also verify that
the remote registry service is running on your Remote Access servers. ---
Steve
"Jan" <bril@ja.nt> wrote in message
news:ewhbJAQ4EHA.3840@tk2msftngp13.phx.gbl...
A while ago whe had a security audit on our windows servers. As a result
of that my collegue applied a lot of changes in the Group Polcies. Today I
found out that some of these changes affect Routing and Remote access.
When I start the management console for RAS I get an error "access
denied". My collegue doesn't know which of the changes he made affect RAS.
I think it has something to do with the local security policy. Can someone
help me? If you need more info, tell me!
|
|
|
| Back to top |
|
|
S. Pidgorny
Guest
|
| Posted:
Tue Dec 14, 2004 5:07 pm Post subject:
Re: Routing and Remote Access |
|
|
Well, this might be the effect of the MMC snap-in restriction, set through
GPO - look under Administrative Templates/Windows Components/MMC/Restricted,
if memory serves.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Jan" <bril@ja.nt> wrote in message
news:eY54hnR4EHA.2624@TK2MSFTNGP10.phx.gbl...
| Quote: | The Access denied is for the snap-in. After pressing the Ok button I can
see
the server node which is green but I have no sub-nodes. Clicking on the
server node will again activate the error access denied. The server is up
and running but I access the configuration. When I delete the server and
install it through the wizard everything works fine until I start the
snap-in.
When I look at the security log I can see the following error:
===========================================================
Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 13-12-2004
Time: 11:37:13
User: VSH-GROUP\admin
Computer: PRG2
Description:
Object Open:
Object Server: Security
Object Type: Event
Object Name: \BaseNamedObjects\crypt32LogoffEvent
Handle ID: -
Operation ID: {0,671453}
Process ID: 2720
Image File Name: C:\WINDOWS\system32\mmc.exe
Primary User Name: admin
Primary Domain: VSH-GROUP
Primary Logon ID: (0x0,0x10161)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
Query event state
Modify event state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x1F0003
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
===========================================================
I hope this info is usefull.
Regards
Jan
"S. Pidgorny <MVP>" <slavickp@yahoo.com> schreef in bericht
news:%23ukKSmQ4EHA.936@TK2MSFTNGP12.phx.gbl...
Local security policy has changed as a result of the domain changes. Can
yu
elaborate on "Access denied" - is it for MMC snap-in or anything else?
The
way to check is to start mmc.exe and add Routing and Remote Access
snap-in.
--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-
"Jan" <bril@ja.nt> wrote in message
news:ewhbJAQ4EHA.3840@tk2msftngp13.phx.gbl...
A while ago whe had a security audit on our windows servers. As a
result
of
that my collegue applied a lot of changes in the Group Polcies. Today I
found out that some of these changes affect Routing and Remote access.
When
I start the management console for RAS I get an error "access denied".
My
collegue doesn't know which of the changes he made affect RAS. I think
it
has something to do with the local security policy. Can someone help
me?
If
you need more info, tell me!
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in