Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Need help getting permissions used by removed default trustee

microsoft.public.windows.vista.administration accounts passwords






Speedup My PC
Reply
  #1 (permalink)  
Old 03-25-2007
Paul Randall
 

Posts: n/a
Need help getting permissions used by removed default trustee
Hi,
(forgot to include subject on previous post)
I'm not sure what group to post this in, so please let me know of a better
place.
I did not post to Microsoft's WMI newsgroup because it is used so little.

I'm trying to understand and optimize my new Vista computer. All I have
done with it so far is boot up the preinstalled Vista Home Basic, and
explored some of its features and non-features (like lack of built-in fax
capability).

On a separate WXPPro-Sp2 system, my WMI service has failed. So I downloaded
Microsoft's WMI Diagnosis Utility -- Version 2.0 from
http://www.microsoft.com/downloads/d...displaylang=en

On my WXP system WmiDiag.vbs showed many problems, which I am trying to
resolve.
I ran WmiDiag.vbs on my new Vista system, expecting no errors, but expecting
to see how it works on a good system. In the summary section of the output,
I get:
(0) ** 32 error(s) 0x80041003 - (WBEM_E_ACCESS_DENIED) Current user does not
have permission to perform the action
(0) ** => This error is typically due to insufficient or restricted
permissions in the examined system.
(0) ** => ENSURE you are a Full Administrator of the examined system, if the
WMI provider or the
(0) ** WMI system security do not enforce any restrictions.

Well, of course I'm the only admistrator of the system, so I assume (silly
me) that I am the 'Full Administrator'.

In the details section of the output, I see things like:
(0) ** WMI namespace security for 'Root':
.................................................. .................................
MODIFIED.
(1) !! ERROR: Default trustee 'BUILTIN\ADMINISTRATORS' has been REMOVED!
(0) ** - REMOVED ACE:
(0) ** ACEType: &h0
(0) ** ACCESS_ALLOWED_ACE_TYPE
(0) ** ACEFlags: &h12
(0) ** CONTAINER_INHERIT_ACE
(0) ** INHERITED_ACE
(0) ** ACEMask: &h6003F
(0) ** WBEM_ENABLE
(0) ** WBEM_METHOD_EXECUTE
(0) ** WBEM_FULL_WRITE_REP
(0) ** WBEM_PARTIAL_WRITE_REP
(0) ** WBEM_WRITE_PROVIDER
(0) ** WBEM_REMOTE_ACCESS
(0) ** WBEM_WRITE_DAC
(0) ** WBEM_READ_CONTROL
(0) **
(0) ** => The REMOVED ACE was part of the DEFAULT setup for the trustee.
(0) ** Removing default security will cause some operations to fail!
(0) ** It is possible to fix this issue by editing the security
descriptor and adding the ACE.
(0) ** For WMI namespaces, this can be done with 'WMIMGMT.MSC'.

I get the feeling that during the initial boot/setup process, the Default
trustee 'BUILTIN\ADMINISTRATORS' was created and did some stuff, and was
then deleted before I got control of the computer, and that the trustee had
credentials over some things that I, as the sole owner and user of the
computer, do not currently have.

Question 1: Is it possible to give myself, the only administrator, full
control over everything on my computer, including what this defunct trustee
had, and if so, how? I'd prefer a VBScript way, but any help would be
appreciated.

Question 2: Where can I read up on this stuff? URLs greatly appreciated.

Thanks for any help you can give me.

-Paul Randall


Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 03-25-2007
Tom
 

Posts: n/a
Re: Need help getting permissions used by removed default trustee
To gain full control of your computer you must disable UAC. The people at
Vista don't like this because it is a security feature they are pushing. But
you asked and so here is what you do.

1. Click Start
2. Control Panel
3. User Accounts
4. Make changes to your User Account
5.Turn User Account control on or off
6. Uncheck the box...Use User account control (UAC) to help protect your
computer.
7. Click OK button

Thats it. Now you have control of your computer.

NEXT... to keep from logging in every time you turn on the computer,

Still in control panel...
1. Click Parental Controls
2. At the computer Administrator icon click to remove password or (no
password).

I have been reprimanded twice or more on 2 newsgroups for giving out this
info.
Let me know if this fixes your problem.
Tom

P.S. My wife bought an HP with Vista and she was ready to toss it into the
garbage can until I disabled the permissions thingy. Now she loves it. She
also had an XP before.



Reply With Quote
  #3 (permalink)  
Old 03-25-2007
Jimmy Brush
 

Posts: n/a
Re: Need help getting permissions used by removed default trustee
Hello,

This is due to the new security feature of Windows Vista that Tom referred
to (UAC).

He explained how to turn it off, but he didn't explain what it does, what
benefits it gives you, or how to do what you were trying to do with UAC
turned on .

Quick solution: Right-click command prompt, click run as administrator, then
start your vbs script, and it will work fine.

Now on to the explanation of what's going on ...

Very simply, UAC draws a line on your computer between administrative
programs and non-administrative programs.

UAC then enforces a single rule: Programs must have your permission in order
to have administrative power.

This gives you the following benefits:

- Programs that don't need admin power, don't have it (why give someone the
keys to your car if they will never drive it)

- Any program that wants full control over your computer must ask you for
permission, or you must explicitly start it with admin power by
right-clicking it and clicking Run As Administrator

Specifically, this protects you from programs that:

- Would try to perform administrative operations without your knowledge or
consent

- Would try to be sneaky and start an administrative program without your
knowledge/consent to bypass restrictions ("Hey I didn't start format.exe, I
don't want it to run!")

- Would try to abuse/exploit a currently running administrative program in
order to take control over your computer

So, here's how to successfully use Vista when logged in as an administrator
with UAC turned on:

Just remember that if you are starting a program or performing an action and
it doesn't prompt, then it will not have administrative control over your
computer.

- When running command-line programs: You will need to run administrative
command-line programs from an administrative command prompt (right-click
command prompt and click Run As Administrator)

- When running a Vista-compatible program: You don't have to do anything
special, these programs will prompt you automatically if they want admin
access to your computer

- When running old programs not designed for Vista: If these programs needs
admin access to your computer, right-click them and click Run As
Administrator. If you use it a lot, right-click the program, click
properties, click compatability, and put a check next to always run as
administrator. This will cause the program to automatically prompt every
time it is run.

Turning off UAC takes this extra control away from you and makes things work
like Windows XP, where any program that happens to run on your computer can
do anything it wants to your computer.

Also, turning off UAC disables Internet Explorer protected mode, because it
uses UAC's seperation-of-privilege in order to work.

--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/

Reply With Quote
  #4 (permalink)  
Old 03-26-2007
Hugh Wyn Griffith
 

Posts: n/a
Re: Need help getting permissions used by removed default trustee
In article <LSkNh.18527$uo3.15924@newssvr14.news.prodigy.net> , Tom
wrote:

> Now you have control of your computer.


Except for the things you can't do with UAC turned off .......

Reply With Quote
  #5 (permalink)  
Old 03-26-2007
Paul Randall
 

Posts: n/a
Re: Need help getting permissions used by removed default trustee
Hi, Tom
Thanks for the help. Replies inline...

"Tom" <Tom@Metroplex.com> wrote in message
news:LSkNh.18527$uo3.15924@newssvr14.news.prodigy. net...
> To gain full control of your computer you must disable UAC. The people at
> Vista don't like this because it is a security feature they are pushing.
> But
> you asked and so here is what you do.
>
> 1. Click Start
> 2. Control Panel
> 3. User Accounts
> 4. Make changes to your User Account
> 5.Turn User Account control on or off


'Turn User Account control on or off' does not show up in the list of
things to do. There is a blank line where it probably should be. I have
the Vista Designed by Idiots for Idiots version (home basic).

Is there a registry entry I can change that turns off UAC?
I've seen this:
http://vistasupport.mvps.org/disable...count_only.htm,
and will try it later today.

> 6. Uncheck the box...Use User account control (UAC) to help protect your
> computer.
> 7. Click OK button
>
> Thats it. Now you have control of your computer.
>
> NEXT... to keep from logging in every time you turn on the computer,
>
> Still in control panel...
> 1. Click Parental Controls
> 2. At the computer Administrator icon click to remove password or (no
> password).


Having sole access to this computer, I did not initially set up a password.
Is it possible this is the reason I don't have access to 'Turn User Account
control on or off'?

> I have been reprimanded twice or more on 2 newsgroups for giving out this
> info.
> Let me know if this fixes your problem.
> Tom
>
> P.S. My wife bought an HP with Vista and she was ready to toss it into the
> garbage can until I disabled the permissions thingy. Now she loves it. She
> also had an XP before.


You sound like you know a lot about setting up user accounts on Vista. I
want to set up an elderly couple's new laptop with Vista Home Basic, with
three accounts -- Administrator and two users. At bootup, I want icons to
show up only for the two users. I don't want either one to have to enter
passwords to get into their accounts. On one account I want to start up
Internet Explorer automatically, and on the other, I want to start
Solitaire.

Is it possible?
If so, can you outline the procedure?

Thanks for your help.

-Paul Randall


Reply With Quote
  #6 (permalink)  
Old 03-29-2007
=?Utf-8?B?TWFyayBEdW5ha2lu?=
 

Posts: n/a
Re: Need help getting permissions used by removed default trustee
But what about programs like my Spyware and Virus programs that always are
constantly updating themselves and thus continually keep pestering me to
Allow them to do their automatic updating things?
That was soooo annoying having those popup messages every single time I
startup the computer or any time during using the computer.
I don't want to have to keep approving petty little things all the time.

thanx.............md

"Jimmy Brush" wrote:

> Hello,
>
> This is due to the new security feature of Windows Vista that Tom referred
> to (UAC).
>
> He explained how to turn it off, but he didn't explain what it does, what
> benefits it gives you, or how to do what you were trying to do with UAC
> turned on .
>
> Quick solution: Right-click command prompt, click run as administrator, then
> start your vbs script, and it will work fine.
>
> Now on to the explanation of what's going on ...
>
> Very simply, UAC draws a line on your computer between administrative
> programs and non-administrative programs.
>
> UAC then enforces a single rule: Programs must have your permission in order
> to have administrative power.
>
> This gives you the following benefits:
>
> - Programs that don't need admin power, don't have it (why give someone the
> keys to your car if they will never drive it)
>
> - Any program that wants full control over your computer must ask you for
> permission, or you must explicitly start it with admin power by
> right-clicking it and clicking Run As Administrator
>
> Specifically, this protects you from programs that:
>
> - Would try to perform administrative operations without your knowledge or
> consent
>
> - Would try to be sneaky and start an administrative program without your
> knowledge/consent to bypass restrictions ("Hey I didn't start format.exe, I
> don't want it to run!")
>
> - Would try to abuse/exploit a currently running administrative program in
> order to take control over your computer
>
> So, here's how to successfully use Vista when logged in as an administrator
> with UAC turned on:
>
> Just remember that if you are starting a program or performing an action and
> it doesn't prompt, then it will not have administrative control over your
> computer.
>
> - When running command-line programs: You will need to run administrative
> command-line programs from an administrative command prompt (right-click
> command prompt and click Run As Administrator)
>
> - When running a Vista-compatible program: You don't have to do anything
> special, these programs will prompt you automatically if they want admin
> access to your computer
>
> - When running old programs not designed for Vista: If these programs needs
> admin access to your computer, right-click them and click Run As
> Administrator. If you use it a lot, right-click the program, click
> properties, click compatability, and put a check next to always run as
> administrator. This will cause the program to automatically prompt every
> time it is run.
>
> Turning off UAC takes this extra control away from you and makes things work
> like Windows XP, where any program that happens to run on your computer can
> do anything it wants to your computer.
>
> Also, turning off UAC disables Internet Explorer protected mode, because it
> uses UAC's seperation-of-privilege in order to work.
>
> --
> - JB
> Microsoft MVP - Windows Shell/User
>
> Windows Vista Support Faq
> http://www.jimmah.com/vista/
>

Reply With Quote
  #7 (permalink)  
Old 03-30-2007
Paul Randall
 

Posts: n/a
Re: Need help getting permissions used by removed default trustee

"Jimmy Brush" <jb@mvps.org> wrote in message
news:38D2A770-3F68-4F60-B12A-C621BDFD7E69@microsoft.com...

> - When running command-line programs: You will need to run administrative
> command-line programs from an administrative command prompt (right-click
> command prompt and click Run As Administrator)


Thanks for the info.

In my previous post, I mentioned that I had not specified any password for
the single account I created on initial startup of the preinstalled Vista
Home Basic.

Today, I put the computer's hard drive (spare hard drive, actually) back
into the computer's initial out-of-the-box state and specified a password
for the single account I created on first boot-up.

It took me a while to figure out that I have to navigate to Cmd.exe or a
link to it, and right click on it, choosing Run as Administrator. But I
finally got Microsoft's WMIDiag.vbs to run with correct permissions that it
completed with a success message and reported no permissions problems.

From the outputs of WMIDiag.vbs that I've gotten this time and previously,
I've come to the conclusion that there are at least three Administrator
privilege levels with UAC turned on.

1) Reduced privileges if the administrator account has no password. Perhaps
the lack of a password also prevents raising the privileges in any manner.

2) Normal privileges if the administrator account has a password.

3) Elevated privileges if 'run as administrator' context is used.

Am I right, wrong, misguided???
Is there a URL that explains it for dummies?
Is there an easy way to switch the administrator account back and forth
between having a password and not having a password to investigate the
effects of both situations?

-Paul Randall


Reply With Quote
  #8 (permalink)  
Old 04-02-2007
Jimmy Brush
 

Posts: n/a
Re: Need help getting permissions used by removed default trustee
The privileges assigned to your admin account is the same, regardless of
whether your account has a password or not.

Programs that run after a prompt or are started by a program that prompted,
run with full admin privileges.

Programs that do not prompt and are started by a program that did not
prompt, run as if a standard user had started them.



--
- JB
Microsoft MVP - Windows Shell/User

Windows Vista Support Faq
http://www.jimmah.com/vista/
"Paul Randall" <paulr901@cableone.net> wrote in message
news:%23jaeFQocHHA.4012@TK2MSFTNGP03.phx.gbl...
>
> "Jimmy Brush" <jb@mvps.org> wrote in message
> news:38D2A770-3F68-4F60-B12A-C621BDFD7E69@microsoft.com...
>
>> - When running command-line programs: You will need to run administrative
>> command-line programs from an administrative command prompt (right-click
>> command prompt and click Run As Administrator)

>
> Thanks for the info.
>
> In my previous post, I mentioned that I had not specified any password for
> the single account I created on initial startup of the preinstalled Vista
> Home Basic.
>
> Today, I put the computer's hard drive (spare hard drive, actually) back
> into the computer's initial out-of-the-box state and specified a password
> for the single account I created on first boot-up.
>
> It took me a while to figure out that I have to navigate to Cmd.exe or a
> link to it, and right click on it, choosing Run as Administrator. But I
> finally got Microsoft's WMIDiag.vbs to run with correct permissions that
> it completed with a success message and reported no permissions problems.
>
> From the outputs of WMIDiag.vbs that I've gotten this time and previously,
> I've come to the conclusion that there are at least three Administrator
> privilege levels with UAC turned on.
>
> 1) Reduced privileges if the administrator account has no password.
> Perhaps the lack of a password also prevents raising the privileges in any
> manner.
>
> 2) Normal privileges if the administrator account has a password.
>
> 3) Elevated privileges if 'run as administrator' context is used.
>
> Am I right, wrong, misguided???
> Is there a URL that explains it for dummies?
> Is there an easy way to switch the administrator account back and forth
> between having a password and not having a password to investigate the
> effects of both situations?
>
> -Paul Randall
>
>


Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Do threads get removed from here ??? will microsoft.public.windows.vista.general 29 03-01-2007 03:00
permissions from hard disk were randomly removed =?Utf-8?B?amVldg==?= microsoft.public.windows.vista.general 0 02-28-2007 09:54
Vista won't upgrade even after Services for Unix 3.5 is removed =?Utf-8?B?SkQgQ29vcGVy?= microsoft.public.windows.vista.installation setup 0 02-19-2007 06:50
After Vista is activated can it be removed and sold? =?Utf-8?B?SnVsaWVuMzIx?= microsoft.public.windows.vista.installation setup 5 02-13-2007 09:45
Removed Norton but it still appears in the security settings =?Utf-8?B?QmlsbHkgU2NvdGxhbmQ=?= microsoft.public.windows.vista.security 4 02-07-2007 16:04




All times are GMT +1. The time now is 17:17.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120