Domain Wide ACL issues

[Kev389]

I will start with explaining the rough set up and the issues we are having, but if there is anymore information you need to know to help me fix this problem please feel free to ask.

This summer we are planning to re-deploy images to all our PC's due to these issues we have been through. Our computers have picked up ACL issues, these stop us creating scheduled tasks, and prevent applications with services/registry installs/changes from installing.

We are running all our servers on Server 2003, one of which is Server 2003 x64. We are running all of our computers on Windows XP Professional, most of which are running on SP3.We have had a Server 2008 on the domain but as the majority of staff have not had much experience with it, we have reverted back to Server 2003.

Our PDC was replicated, but the Server with the global catalog crashed and we have not been able to recover this server, therefore we could not demote it, but we have now enabled the Global Catalog on our PDC.

The active directory has been replicated 5 or 6 times to now be established on its current Server 2003 x64 OS.

I have a laptop which has Windows XP Professional SP3 on which has been connected to the network, but never added to the domain, as far as i am aware, it has had no ACL issues. Which leads me to believe it is our Domain causing the problem.

We created a script which resets the Access Control Lists, which seems to work for a few hours (allows schedules tasks to be created etc) but the ACL's seem to break themselves again.

Has anyone come across this problem before, or do you have any ideas/suggestions on what to do to fix this problem.

We do not want to re-deploy the entire networks' nodes only to find this error re-occurs.

Thanking you in advance.

Kevin

[IcemanND]

What scheduled task are you adding?

What is the script you are using and what credentials does it run under to do it's thing?

Are there any domain group policies applied to the machines?

[Kev389]

We have tried many different scheduled tasks. even the most basic thing like opening command prompt windows - once only.

It happens with the top level administrator account to a basic user account and with the local admin account too.

We use an ACL fix script from the internet, which has been adapted slightly i do believe.

But this ACL error came about the time when we moved AD to another server. So it is not a problem with the ACL reset switch.

I think there is something to do with the servers which, when the computers "check in" with the domain controller is screws up the ACL again.

Yes we do have a domain wide group policy active.

Along with some OU group policies for different sectors of our organisation.

We also tried installing Sophos remotely and locally to our machinces, due to the permissions it will not allow the anti-virus to install because the registry cannot be changed.

Edited July 7, 2009 by Kev389

[Tripredacus]

Is it possible that you have multiple machines with the same SID on them?

[Kev389]

The majority of our machines have unique SIDs. There will be a few of the machines on the network with the same SID, but we had computers with the same SID before this problem occurred.

We now use NewSid and have been since before the issue occurred.

[Tripredacus]

The majority of our machines have unique SIDs. There will be a few of the machines on the network with the same SID, but we had computers with the same SID before this problem occurred.

We now use NewSid and have been since before the issue occurred.

OK. Did you know that Newsid changes the SID everywhere on the computer EXCEPT the SID attached to the logon account on a Scheduled Task? This means that if you have existing tasks on a system, then run NEWSID, the tasks will not be able to execute. This means that after the SID is changed, you need to execute a command(s) like this (you can use a batch file too)

c:\windows\system32\schtasks /CHANGE /tn TASK_NAME_1 /ru Administrator /rp password

[Kev389]

I was not aware of that, no.

Thank you for letting me know. I will bare that in mind in future.

Before we were even thinking about NewSid the scheduled tasks and registry changed would work.

It was only when we started replicating the Domain Controllers and since have we had the problem. Therefore i don't believe that it is a SID issue.

Could this issue of occurred from a corrupt GPO or a setting being not being transfered properly?