How is it possible to receive Access Denied errors even after assigning the right permissions?
Most likely the token for the user has not been regenerated. When a user logs in / authenticates a security token is generated to them with all of their permissions. When alterations to permissions take place the user needs to have their security token regenerated either with the local SAM or the domain controller. Usually that is only an issue for user rights assignments and not object permissions though.
Another possibility is the concept if denials taking precedence over allows. It's possible for a denial to be higher up the inheritance chain that is cascading down and causing the permission problems.
Related videos on Youtube
Mason G. Zhwiti
Updated on September 18, 2022Comments
-
Mason G. Zhwiti over 1 year
I've been working on a server migration recently, and cleaning up permissions issues on some cloned Windows 2008 servers. I routinely use procmon to narrow down permissions issues and fix them, then resume testing.
Something that boggles my mind is when I assign the proper permissions, and then run the test again, and still receive the same "ACCESS DENIED" error in procmon for the same exact user that I just assigned Full Control on for that directory or registry key that fails.
How is this technically possible? Other than not having the proper ACL set, why would ACCESS DENIED be returned?
In this specific headache, I have an Active Directory account that we use to run our services that need to be able to span multiple servers, and it consistently receives ACCESS DENIED errors on HKEY_CLASSES_ROOT\Wow6432Node\CLSID. I have tripled checked that this user has Full Control access on this key, yet it still happens.
For what it's worth, here are the details from procmon:
Date & Time: 8/9/2011 5:13:27 PM Event Class: Registry Operation: RegOpenKey Result: ACCESS DENIED Path: HKCR\Wow6432Node\CLSID TID: 5084 Duration: 0.0000073 Desired Access: Read Description: Event Alarm Service Company: Dorian Software Creations, Inc. Name: EvtAlarm.exe Version: 6.0.0.148 Path: C:\Program Files (x86)\Event Alarm\EvtAlarm.exe Command Line: "C:\Program Files (x86)\Event Alarm\EvtAlarm.exe" PID: 5232 Parent PID: 616 Session ID: 0 User: OUR\SpecialUser Auth ID: 00000000:09af42e2 Architecture: 32-bit Virtualized: False Integrity: High Started: 8/9/2011 5:13:27 PM Ended: 8/9/2011 5:13:39 PM
Edit: Thanks everyone for the feedback. I have solved our underlying problem, although my question still stands as I don't feel what I did is truly an explanation, therefore I am not going to post this as an official answer. Following advice from the company that makes the software in question, I added the service account in question to the local Administrators group, and now it is able to start successfully, and the ACCESS DENIED errors are gone. It still makes no sense to me, as the permissions (including effective permissions) showed that this service account should have had the right to access the registry key that was being denied...
-
Admin almost 13 yearsjust to be more clear have you looked at the effective permissions?
-
Admin almost 13 yearsEffective permissions show every box is checked for this user on this registry key.
-
Admin over 6 yearsDid you check the Windows Security event log for a corresponding event that might indicate exactly which permission was denied? It could have involved more than just the registry key's ACL, like possibly a system privilege that is only granted to local administrators.
-
-
tony roth almost 13 yearsgood point you may just need restart the service.
-
joeqwerty almost 13 years@Wes: I don't think that's right. When a user logs on, their security token specifically identifies them. Resource access based on username (SID) should work without needing to regenerate a new security token. On the other hand, user access based on group membership requires a logoff and logon to generate a new security token to reflect the group membership changes.
-
Wesley almost 13 years@Joeqwerty Yeah, that's what I was thinking too. I was going off of some anecdotal evidence that I've experienced where I thought access based permissions still weren't working until some time had passed. Cargo Cult Administration at its finest. =)
-
joeqwerty almost 13 years@Wes: <Personal Note> BTW, glad to see you. Hope all is well. </End Personal Note>
-
joeqwerty almost 13 yearsOn another note: An explicit allow will over-ride an inherited deny.
-
Wesley almost 13 yearsHmmm... I thought an inherited deny overrode everything. Clearly my permissions skills are musty. =)
-
joeqwerty almost 13 yearsNope, an explicit permission over-rides an inherited permission... in every case if I'm not mistaken.