On Wed, 7/16/2025 12:08 AM, T wrote:
On 7/15/25 12:04 PM, Paul wrote:
On Tue, 7/15/2025 2:14 PM, T wrote:
Hi All,
Yes I am cross posting. So sue me. In
this instance, cross posting is apropos.
I just got off a call with a customer that could not
operate Any Desk (I used Help Wire to fix).
It transpired that his old returned from employment had
placed a remote tool to access their domain on
his computer at one time. One of their I.T. guys came
to his house and removed it, but in the process locked
his computer back down to the Domain's security policies.
What the Heck !?!?!
This fixed it:
HTH some else,
-T
How to reset Local Security Policies:
References:
https://www.reddit.com/r/WindowsHelp/comments/1bvt3dk/this_setting_is_managed_by_your_administrator_the/
cmd as admin:
secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
; Copyright (c) Microsoft Corporation. All rights reserved.
;
; Security Configuration Template for Security Configuration Editor
;
; Template Name: DefltWK.INF
; Template Version: 05.10.DW.0000
;
; Default Security for Vista
Where is the defltbase.sdb ?
This concept seems something that started around WinXP,
because in WinXP you could reset fumbled security that way.
Later OSes were supposed to lose that.
An icacls run, after installation, allows you to record all the
resulting file security settings. This might have to be augmented with additional
runs at later dates, then an exercise in consolidation, to make
a file suited to the purpose. While the original file would
help a bit, if you played it back in icacls, it would not be
a complete solution.
If I had the materials showing up in nfi.exe here, I might believe
this capability exists.
Scan your reference WinXP partition, and see if you can spot a
defltbase.sdb on that.
Paul
I am no longer logged into the customer's machine.
All I can say is that the command worked. The
Domain security was gone.
One of the sub-functions of that feature in the WinXP era,
is the command causes a scan of the C: drive and assignment
of SIDs and permissions in a controlled way. But in later
OSes, Microsoft gave up on that, so I guess they could not
"determine by inspection", what the permissions on Notepad.exe
should be :-) That's the part I'm referring to.
The Domain security could be a simple as a one-time-call to
the Registry, to modify something, and that could be more
consistent from one release to the next.
As long as you don't assume you have corrected all the file security
by doing that, you'll be fine. File security, you record the status
of the thing, before you start doing maintenance, using an icacls
command. You do your repair activities to the machine, not being
overly careful with the perms. At the end, you use the icacls playback,
to restore the permissions. There was an IT guy who had a web page,
where he demonstrated proper procedure for treating the equipment
you're working on. The "hard to tell he was ever there" treatment.
Whereas hobbyists like me, are likely breaking stuff all over
the place :-) Like my machine is Win98 or something :-)
The beauty of your command in the WinXP era, is a customer machine
that had been "messed about by the hobbyist", using your command
or something similar, could restore the default permissions as
a function of where in the tree they were at, at the time. The database contained "suggestions" for what the permissions should look like on Notepad.exe . It's even possible, during a WinXP installation,
the installer is using that, to set up the perms in an organized
manner.
Paul
--- MBSE BBS v1.1.1 (Linux-x86_64)
* Origin: A noiseless patient Spider (3:633/280.2@fidonet)