Locked out from Class Security

myITforum.com Community Forum

Home Forums Blogs Live Support chat Search Articles Wiki FAQ Email Lists Register Login My Profile Inbox Address Book My Subscription My Forums

Photo Gallery Member List Search Calendars FAQ Ticket List Log Out

All Forums RSS Feed Subscription:

Locked out from Class Security

View related threads: (in this forum | in all forums)

Logged in as: Guest

Printable Version

All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003 >> Locked out from Class Security

Page: [1]

Message

<< Older Topic Newer Topic >>

Locked out from Class Security - 5/10/2008 4:53:42 PM

kpark

Posts: 7
Score: 0
Joined: 11/8/2007
Status: offline

Hello,

After a long day of rebuilding one of my 5 primarys, when i was checking the Class security in the console, i mistakenly removed the enterprise admins group (which i am a memeber of) from the Reporting area. Does anybody have any advice how to add this back in?

the only item in here with administer rights is NTAuthority\System

what i have done so far
I opened up the SMS_UserClassPermissions in wbemtest and found the objectkey for reports (objectkey '8;) i tried to add the modify the class perssion from in here but i received a error code 80041001 Generic Failure. after testing on different areas of the console this is down to permissions.

So i need to be able to re-apply the permissions to the reports area. the next thing i will try is to remove the reporting point then re add it but i can't see this fixing it,
any help is appreciated.

Thanks

Post #: 1

RE: Locked out from Class Security - 5/10/2008 8:41:14 PM

jbezdan

Posts: 17
Score: 0
Joined: 2/6/2006
Status: offline

Go out to http://www.pluralsight.com/books/pws/samples.htm and download the tools. Extract the CmdAsUser.zip file and get the cmdasuser.exe out of the bin folder. Copy it to the root of C:\ on the server, then open a command prompt and run: c:\cmdasuser.exe localsystem

Another command prompt will open with "Local System" in the title bar. From there, run mmc.exe and then load in the System Management Server snapin. From there you should be able to go to the report class and give the group rights again. I just tested this on a lab SMS site and it worked for me.

That tool is also useful for testing how a software distribution will behave when it is run as the system account on workstations.

< Message edited by jbezdan -- 5/10/2008 8:42:05 PM >

(in reply to kpark)

Post #: 2

RE: Locked out from Class Security - 5/11/2008 8:17:26 AM

kpark

Posts: 7
Score: 0
Joined: 11/8/2007
Status: offline

Thanks for this information,

However we must have something in the security template on our servers as once i execute it the localsystem window flashes up then quickly dissappears. i have tried this on a standard XP client and it works. howver on the standard xp client i can't connect to the database to change the permissions due to internal firewalls which i will get a rule added next week

do you know if this could be a default setting on the server to prevent this localsystem window running?

(in reply to jbezdan)

Post #: 3

RE: Locked out from Class Security - 5/11/2008 8:46:11 AM

kpark

Posts: 7
Score: 0
Joined: 11/8/2007
Status: offline

Great, I managed to work around the cmdasuser

i logged on the the server remotely in /console mode and set a schedule task the run cmd.exe /interactive

this work and now i can add myself in to the security of the reports.

Thanks for you response, and i hope it can help others

(in reply to kpark)

Post #: 4

RE: Locked out from Class Security - 5/11/2008 2:38:10 PM

jbezdan

Posts: 17
Score: 0
Joined: 2/6/2006
Status: offline

I am glad you got it working. I assume you mean that you did the scheduled task using an AT.exe command and not the Task Scheduler gui interface?

It could be a policy issue on the cmdasuser not running. Were you running it from another cmd.exe window or from Start - Run? I know it will behave that way from Start - Run.

Either way, I am glad all it all worked out.

(in reply to kpark)

Post #: 5