Restoring Default Permissions to Windows NT System FilesLast reviewed: September 19, 1997Article ID: Q153094 |
|
The information in this article applies to:
SUMMARYWhen an administrator attempts to secure the Microsoft Windows NT system by changing the default Windows NT file system (NTFS) file and directory permissions set up on the <%winnt_root%> and/or the default system directories and subdirectories, some functions, such as users' ability to log on to the network, may be impaired. In extreme cases the system may blue screen on startup. If the system starts, the default permissions can be restored. If the system blue screens, the original system can be restored by installing a second copy of Windows NT.
MORE INFORMATIONThe following procedure does not work in Windows NT 4.0. For additional information, please see the following article in the Microsoft Knowledge Base:
ARTICLE-ID: Q157963 TITLE : SETACL.EXE not available in Windows NT 4.0If the System Starts Use the following procedures to restore the default permissions on the system files in the <winnt_root> and all default subdirectories. WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.
Subdirectories, which gives SYSTEM access to the entire volume,-or-
go to the system's root directory (typically, WINNT35) and give SYSTEM full control of that directory and all subdirectories. SYSTEM should always have full control of all system files.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager
autocheck autochk * After any entries, add on a separate line:
setacl /a \DosDevices\<systemdrive>:\<winnt_root>\System32\winperms.txt \DosDevices\<systemdrive>: NOTE that this added entry should all be on the same line under the autocheck entry. Here <systemdrive> is the drive that Windows NT is installed on and <winnt_root> is the Windows NT root directory on that drive. After adding the change on a typical system, the BootExecute entry looks like this while in the reged32 multi-string editor:
autocheck autochk * setacl /a \DosDevices\c:\winnt35\system32\winperms.txt \DosDevices\c:
On restart, the system will set security on the system files just as it does when converting from FAT to NTFS file systems. No Additional file security needs to be placed on the Windows NT system files if they are residing on NTFS. Any further restrictions may curtail the ability of users to log on to the individual computer or the domain. However, it is possible to restrict user access to system files. As long as the SYSTEM account has full control of all system files, user access (usually through the group EVERYONE) can be restricted. NOTE: Microsoft recommends using the default permissions for Windows NT. Changing these permissions may make it impossible for users to log on, print, access logon scripts, or gain access to other necessary functions. As with using the Registry Editor, make these changes at your own risk. Always have a recovery plan in case you need to revert to a previous setup. The MINIMUM PERMISSIONS necessary to log on (again, assuming SYSTEM has full control of the volume root and all system directories and files) are:
System_root (e.g. c:\winnt35) ------------ Everyone - READ
System_root\system32 --------------------- Everyone - READ/EXECUTE
System_root\system32\repl\import\scripts - Everyone - READ/EXECUTE
(only if your users have logon scripts)
Depending on your environment, additional permissions may be necessary.
If The System Does Not Start (Blue Screen with STOP 21A)If the administrator has modified permissions, rebooted the computer, and now receives a blue screen, then the most likely cause is that the SYSTEM account does not have adequate access to the system files and directories. To restore access:
|
Additional query words: prodnt security
© 1998 Microsoft Corporation. All rights reserved. Terms of Use. |