RE: Access denied to local computer, even as ADMIN !! 2005-07-07 - By Ken Schaefer
"Trust this server for delegation" does not have anything, per se, to do with
SeImpersonateUser privilege.
Be careful about advising people to relax security settings on their servers,
especially when we don't know the root cause of the issue at hand.
Or are you saying that you logged onto your Windows 2000 DC, and attempted to
use the IIS Manager and got the same Access Denied error message? If so, I
apologise, but I'm surprised by the relationship between these settings and
the issue at hand.
Cheers
Ken
--
www.adOpenStatic.com/cs/blogs/ken/
: -----Original Message-----
: From: Tim Curtin [mailto:tjc_tek@(protected)]
: Sent: Friday, 8 July 2005 4:39 AM
: To: aspnet-admin@(protected)
: Subject: [aspnet-admin] RE: Access denied to local computer, even as ADMIN
: !!
:
: if you're using win2000 SP4 with Active Directory, I just had this
: problem.
: Also, make sure 'Trust this server for Delegation' is turned on in AD.
:
: SP4 removes IWAM impersonation priviledges.
:
: Here's the steps to correct:
: http://support.microsoft.com/kb/824308/EN-US/
:
: Tim
:
: >From: "Scott Forsyth" <scottnewsgroups@(protected)>
: >Reply-To: aspnet-admin@(protected)
: >To: aspnet-admin@(protected)
: >Subject: [aspnet-admin] RE: Access denied to local computer, even as
: ADMIN
: >!!
: >Date: Thu, 7 Jul 2005 02:24:15 -0400
: >
: >>I realise that the metabase has it's own permissions, but does the
: >>metabase
: >>respect a user having the seTakeOwnership permission? (I noticed that
: keys
: >>within the metabase do have an owner property).
: >
: >I couldn't say for sure. The metabase inheritance and ownership
: functions
: >a bit different than NTFS does so I assume that it has it's own way of
: >doing things and doesn't rely on the NT rights / events / methods.
: >
: >
: >Scott Forsyth
: >Microsoft MVP - ASP/ASP.NET
: >ASPInsider Member - MCP
: >
: >http://www.orcsweb.com/
: >Powerful Web Hosting Solutions
: >#1 in Service and Support
: >
: >
: >----- Original Message ----- From: "Ken Schaefer" <Ken@(protected)>
: >To: <aspnet-admin@(protected)>
: >Sent: Tuesday, July 05, 2005 7:01 PM
: >Subject: [aspnet-admin] RE: Access denied to local computer, even as
: ADMIN
: >!!
: >
: >
: >I realise that the metabase has it's own permissions, but does the
: metabase
: >respect a user having the seTakeOwnership permission? (I noticed that
: keys
: >within the metabase do have an owner property).
: >
: >Alternatively, running that script via a scheduled task (and using the
: >at.exe
: >command to schedule the task) would mean that the script could run as
: >LocalSystem (which presumably still has permissions to the metabase if
: IIS
: >is
: >running)
: >
: >Cheers
: >Ken
: >
: >--
: >www.adOpenStatic.com/cs/blogs/ken/
: >
: >: -----Original Message-----
: >: From: Scott Forsyth [mailto:scottnewsgroups@(protected)]
: >: Sent: Wednesday, 6 July 2005 12:29 AM
: >: To: aspnet-admin@(protected)
: >: Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >ADMIN
: >: !!
: >:
: >: > AFAIK, the metabase doesn't obey NT rights (such as SeTcbPrivilege or
: >: SeTakeOwnershipPrivilege), but maybe it does.
: >:
: >: That's correct, the metabase has its own set of permissions that are
: >: stored
: >: in the metabase directly. If a setting is set on a particular node, it
: >: will
: >: not inherit from the root.
: >:
: >: Metabase explorer is probably the best bet. A command line option is
: >: metaacl.vbs.
: >:
: >: Darren, what would have changed to cause this? It's pretty (actually
: >: 'really') uncommon for someone to be locked out like this. Did you or
: >: another administrator do something that would have changed these
: >settings?
: >:
: >:
: >: Scott Forsyth
: >: Microsoft MVP - ASP/ASP.NET
: >: ASPInsider Member - MCP
: >:
: >: http://www.orcsweb.com/
: >: Powerful Web Hosting Solutions
: >: #1 in Service and Support
: >:
: >:
: >: ----- Original Message -----
: >: From: "Ken Schaefer" <Ken@(protected)>
: >: To: <aspnet-admin@(protected)>
: >: Sent: Tuesday, July 05, 2005 9:29 AM
: >: Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >ADMIN
: >: !!
: >:
: >:
: >: AFAIK, the metabase doesn't obey NT rights (such as SeTcbPrivilege or
: >: SeTakeOwnershipPrivilege), but maybe it does.
: >:
: >: My suggestion: download Metabase Explorer (part of the IIS6.0 Resource
: >: Kit,
: >: but it works with IIS5.1 as well) [1]. Right-click on the root-node and
: >: choose "Permissions". If Administrators group is not listed, attempt to
: >: add
: >: it. If you can't add it, go to the Owner tab, and seize ownership of
: the
: >: entire heirachy, then do the preceeding step.
: >:
: >: If the metabase permissions actually honour the NT rights, then ensure
: >: (via
: >: the Local Security Policy) that your Admin account has "Take Ownership
: >: Privileges) [2]
: >:
: >: Cheers
: >: Ken
: >:
: >: [1]
: >: http://www.microsoft.com/downloads/details.aspx?FamilyIDVfc92ee-a71a-
: >: 4c73-b
: >: 628-ade629c89499&DisplayLang=en
: >: [2] Start -> Run -> secpol.msc -> User Rights Assignment node
: >:
: >: --
: >: www.adOpenStatic.com/cs/blogs/ken/
: >:
: >: : -----Original Message-----
: >: : From: Darren Logan [mailto:Darrenl@(protected)]
: >: : Sent: Tuesday, 5 July 2005 11:06 PM
: >: : To: aspnet-admin@(protected)
: >: : Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >: ADMIN
: >: : !!
: >: :
: >: : Hi Ken,
: >: :
: >: : Thanks for this... BUT HOW?
: >: :
: >: : Vbr,
: >: : Darren
: >: :
: >: : -----Original Message-----
: >: : From: Ken Schaefer [mailto:Ken@(protected)]
: >: : Sent: 05 July 2005 14:03
: >: : To: aspnet-admin@(protected)
: >: : Subject: [aspnet-admin] RE: Access denied to local computer, even as
: >: : ADMIN !!
: >: :
: >: :
: >: : Even when you are an administrator, ACLs (Access Control Lists) can
: be
: >: : configured to deny access to administrators. It's just that, by
: >default,
: >: : administrators have access to most things. However, that doesn't stop
: >: the
: >: : default ACLs being modified.
: >: :
: >: : As a general rule however, Administrators can take ownership of most
: >: : resources (which, in turn gives them permission to alter the ACLs,
: >given
: >: : them
: >: : access to the resource in question).
: >: :
: >: : It seems that the Administrator account doesn't have permissions to
: >keys
: >: : in
: >: : the IIS metabase. You may need to reset the permissions on those
: keys.
: >: :
: >: : Cheers
: >: : Ken
: >: :
: >: : --
: >: : www.adOpenStatic.com/cs/blogs/ken/
: >: :
: >: : : -----Original Message-----
: >: : : From: Darren Logan [mailto:Darrenl@(protected)]
: >: : : Sent: Tuesday, 5 July 2005 8:19 PM
: >: : : To: aspnet-admin@(protected)
: >: : : Subject: [aspnet-admin] Access denied to local computer, even as
: >ADMIN
: >: : !!
: >: : :
: >: : : Hi,
: >: : :
: >: : : I have a SBC running Windows XP Embedded with IIS5.1
: >: : :
: >: : : I log on as administrator, yet when i click to expand "Local
: >computer"
: >: : in
: >: : : internet information services, i get a message thus "You have been
: >: : denied
: >: : : access to this machine".
: >: : :
: >: : : Errmmmm, what's that all about?
: >: : :
: >: : : This is very frustrating.. do i need to re-install windows XPE do
: you
: >: : : think?
: >: : :
: >: : : How do i access user account settings to ensure access permissions
: >are
: >: : : setup correctly etc.?
: >: : :
: >: : :
: >: : : Best regards
: >: : : Darren Logan BSc(Hons)
: >: : : Development Engineer
: >: : : ________________________________________________________________
: >: : :
: >: : : MICHELL INSTRUMENTS LTD Tel: +44 (0)1223 434 854
: >: : : Nuffield Close Fax: +44 (0)1223 434 895
: >: : : Cambridge e-mail: darrenl@(protected)
: >: : : CB4 1SS, UK web: www.michell-instruments.com
: >: : :
: >: : : UKAS accredited: 0179 * BS EN ISO9001:2000 registered: Q6284 *
: >: : : Member BCAS * Investor in People
: >: : :
: >: : : --------------------------------- Dew point specialists -----------
: -
: >: : : ---------------------
: >: : :
: >: : : This communication contains information which is confidential and
: may
: >: : also
: >: : : be privileged. It
: >: : : is for the exclusive use of the intended recipient(s). If you are
: not
: >: : the
: >: : : intended recipient(s),
: >: : : please note that any distribution, copying or use of this
: >: communication
: >: : or
: >: : : the information in
: >: : : it is strictly prohibited. If you have received this communication
: in
: >: : : error, please notify the
: >: : : sender immediately and then destroy any copies of it.
: >: : :
: >: : :
: >: : :
: >: : :
: >: : :
: >: : : Need SQL Advice? http://sqladvice.com
: >: : : Need RegEx Advice? http://regexadvice.com
: >: : : Need XML Advice? http://xmladvice.com
: >: :
: >: : Need SQL Advice? http://sqladvice.com
: >: : Need RegEx Advice? http://regexadvice.com
: >: : Need XML Advice? http://xmladvice.com
: >: :
: >: :
: >: : Need SQL Advice? http://sqladvice.com
: >: : Need RegEx Advice? http://regexadvice.com
: >: : Need XML Advice? http://xmladvice.com
: >:
: >: Need SQL Advice? http://sqladvice.com
: >: Need RegEx Advice? http://regexadvice.com
: >: Need XML Advice? http://xmladvice.com
: >:
: >:
: >:
: >: Need SQL Advice? http://sqladvice.com
: >: Need RegEx Advice? http://regexadvice.com
: >: Need XML Advice? http://xmladvice.com
: >
: >Need SQL Advice? http://sqladvice.com
: >Need RegEx Advice? http://regexadvice.com
: >Need XML Advice? http://xmladvice.com
: >
: >
: >
: >Need SQL Advice? http://sqladvice.com
: >Need RegEx Advice? http://regexadvice.com
: >Need XML Advice? http://xmladvice.com
:
:
:
:
: Need SQL Advice? http://sqladvice.com
: Need RegEx Advice? http://regexadvice.com
: Need XML Advice? http://xmladvice.com
Need SQL Advice? http://sqladvice.com
Need RegEx Advice? http://regexadvice.com
Need XML Advice? http://xmladvice.com
|
|
