Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Sunday, August 14, 2016 10:09 PM
I am getting this error every few minutes on the domain controllers. I followed your article on troubleshooting this even to no answer.
Any help? See error detauks below
|
|
|
|
|
|
|
|
|
|
| - | EventData |
| 0x5 : Access is denied. Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events". |
All replies (4)
Monday, August 15, 2016 12:14 AM ✅Answered
Hi Dan,
So you've checked that you have no services defined in group policy under the "Computer Configuration\Policies\Windows Setting\Security Settings\System Services" node? Because if you do, then it's likely that this error is occurring because the computer(s) to which the policy applies cannot alter one or more of the defined services due to the SYSTEM account not having enough permissions.
It may even be the case that it was (or still is) a problem with the group policy setting itself. For example, if the SYSTEM account was/is missing from the defined ACL then that's likely what caused the issue.
You can verify that the system account is missing from the ACL by running the following on the affected client (in your case, any domain controller will do):
sc sdshow [servicename]
This will show the SDDL of the service, which isn't easily readable, but what you're looking for is an entry with ";SY)" at the end of it. Each entry is enclosed in ellipses. For example, the part you'd be looking for might look something like this:
(A;;CCLCSWRPWPDTLOCRRC;;;SY)
If there is no entry at all for ";SY)" then you've found your issue: you need to add the SYSTEM ACE back in.
Cheers,
Lain
Monday, August 15, 2016 2:33 AM ✅Answered
Hi Dan,
The short version is you're going to need to use "sc sdset" to put it back in. Exactly how depends on the nature of the damage to the ACL.
To start with though, you want to obtain a copy of the existing ACL using the "sc sdshow" command I listed above, as the output of that command is going to be required regardless of the method.
The second thing is, make sure you have included the SYSTEM account in the group policy setting or you'll only re-create the same fault.
If the existing string has the ";SY)" SID in it, then you want to replace the existing SYSTEM portion of the SDDL string with the one I provided in my previous reply.
If the existing string does not have the ";SY)" string at all then you're going to need to add it, however, you can't just add it anywhere or else you'll break the string entirely.
Here's an example of an SDDL string taken from a random service, after which is a breakdown of the major parts:
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
First, you are only interested in the red section that is prefixed with the "D:". The "D" in this case is symbolic for "Discretionary ACL", which in other words is the ACL that controls who can do what. The "S:" (the blue section) is symbolic for "System ACL", which is only used for auditing, not controlling access.
So, focusing on the DACL, each security entry is enclosed in parenthesis. So what you want to do is make sure the entry for the SYSTEM account, which from the above example is (A;;CCLCSWRPWPDTLOCRRC;;;SY), is included in the "D:" section of your SDDL.
If you're really not sure about any of this, then just use the entire string from the example above as your group policy is going to overwrite it anyway.
Once you've figured out what your SDDL should look like, use the following command to set the SDDL on the appropriate service(s):
sc sdset [servicename] "SDDL string"
For example:
sc sdset appidsvc "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Cheers,
Lain
Monday, August 15, 2016 2:38 AM ✅Answered
PS: I meant to include that if you can't do this while running as an administrator - i.e. you get Access Denied all over again, you can try doing the same thing using the SYSTEM process itself as described in option 2 of this support article.
It's an old article but the process still works. You can also use psexec if you have it, but I'm not going to dwell on all the tools that can let you run a SYSTEM process shell.
Cheers,
Lain
Monday, August 15, 2016 12:52 AM
Thanks I think that may be the issue, how do I add the SYSTEC ACE back in?
Dan Carrera