Windows 2008R1 Registry Permissions questions: (Cannot get DPS to work Access denied)
This may or may not be related to our Group Policies, but are not resolved by removing the group policies applied.
When we have upgraded our servers from 2003 to 2008, or even taken a fresh install of 2008 (from template with no policies applied (that I know of), several services do not start. (similar to srshowers post in
http://social.technet.microsoft.com/Forums/en-US/itprovistanetworking/thread/5744a4b6-31a2-4f2e-b27e-e99627be5aba )
I have largely resolved this by editing the registry per the post by Sjuu in the same thread. (plus giving local service rights to w32tm).
However, I am unable to get DPS to run. I would like assistance in getting it working. (I have given the local service account rights to the hive under hklm\system\ccs\services\dps in addition to dps\enum, dps\parameters; dps\parameters). No dice.
Additionally, I would like to create a 2008 GPO that adds all the permissions required for these services to run. Do I have to use local service & network service instead of NT Service\mpssvc ?
Thanks, if I have mis-posted - please direct me to the correct forum.
-Alex
July 29th, 2011 10:54pm
Hi Alex,
This thread might be helpful:
http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/ae370edf-716b-4208-86d6-aba6c44f658b
If the problem continues, please let us know the following information:
1.
Is this Windows Server 2008 computer a member server or domain controller?
2.
Please make sure the system is up to date with the latest security patches and service pack.
3.
What error message do you receive when trying to start the DPS service? Is there any relevant error in event log?
Regards,
Bruce
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for
TechNet Subscriber Support, contact tnmff@microsoft.com.
Free Windows Admin Tool Kit Click here and download it now
July 31st, 2011 10:31pm
Thanks for the link Bruce, The server in question is in the default computers container, and has no GPO assigned with security policies. (The link is from a user who states the problem was resolved by removing Group Policy Objects from the OU with his/her
machine.)
That user has the same question as I do about the local accouts & GPObjects.
I have made the following modifications to my registry:
HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag Network Service
full control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
"Local service" Full, Read (add this permission)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE "NT Service\BFE" Full, Read (add
this permission)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS "NT Service\Trustedinstaller" Full, Read (add this permission)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc "NT Service\NlaSvc" Full, Read (add this permission)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "NT Service\MpsSvc" Query, Set Value (add
this permission)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy "NT Service\MpsSvc" Full,
Read (add this permission)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy "NT
Service\MpsSvc" Full, Read (add this permission)
hklm\system\ccs\services\w32time : Gave local service and network service full control
-> at this: almost automatic services start. Just not DPS. This particular instance is a root level DC, but it has also occured with some child member servers.
--> Attendum: There is not really any information about why the Diagnostic Policy Service is not starting: Error 5 access denied.
Thanks,
Alex
August 1st, 2011 4:15pm
sc query dps
service_name: dps
type: 20 win32_share_process
state: 1 stopped
win32_e3xit_code: 5 (0x5)
Service_Exit_code: 0 (0x0)
checkpoint: 0x0
wait_hint: 0x0
Free Windows Admin Tool Kit Click here and download it now
August 4th, 2011 12:58pm
The diagnostic policy service on a 2008 server will not start: error 5 access denied.
net start dps: The Diagnostic Policy Service Service service could not be started: a system error has occurred, system error 5 has occurred. access is denied.
the event log gives no information as to what access was denied (security), leading me to suspect it is a registry permission (Trusted installer does have full control of the DPS hive).
When attempting to use Process Monitor to see what is being denied, I see only sucess, buffer overflow, and name not found. (name not found mostly under hklm\system\ccs\control]wdi\...)
Suggestions as to how this may be troubleshot?
August 4th, 2011 9:21pm
Hi am2o,
Sorry for the delay. Please first make sure the operating system is up to date with the latest security patches and Service Pack.
Based on my research, I suggest you following the steps below to troubleshoot this problem:
1.
Click Start menu – All Programs – Accessories, right click on Command Prompt and select "Run as administrator"
2.
Type "Net start DPS" and run it again.
What’s the result? If the problem continues, please try Daniel’s suggestion in the comments of this article:
http://itsvista.com/2007/04/diagnostic-policy-service/
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Regards,
Bruce
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2011 2:12am
For steps 1;2: Net start DPS as admin-> A system error has occurred. System error 5 has occurred. Access is denied.
I'm not sure I understand Daniel's suggestion "To add the following users to the security properties on the c: drive 'Authenticated Users, Users, Creator Owner'" with no mention of permissions: My permissions read as follows: The following have the listed
permissions on this folder, subfolders & files: { System: Full control; Administrators: Full Control; Users: Create Folders / append data; Users: RX; Authenticated Users: RX}; Creator Owner: Special (full to subfolders & Files); Users: Special (Create
Files / write data: Subfolders only)
If I have to propigate "Authenticated Users" full control to all files and folders, I think the appropriate answer is rage-face ;)
August 9th, 2011 5:59pm