I have seen where permissions had gotten changed in the system folders where the Windows 2003 SP1 was applied and the server was rebooted. After the reboot, nearly all of our automatic services failed to start. This was because the Remote Procedure Call service failed to start. Windows Server 2003 changes the logon for the RPC service to Network Service and because the permissions had been changed, that service was getting “Access Denied” when attempting to start the service.
Running Chkdsk on a server can also change security descriptors if you have not applied the required hotfixes to the server. See the following articles:
831375 The CHKDSK utility incorrectly identifies and deletes in-use security descriptors in Windows 2000
831374 The CHKDSK utility incorrectly identifies and deletes in-use security descriptors
In order to get the permissions reset, we can use the secedit command to reset the NTFS permissions on the server.
Open a command prompt.
Run the following command where windows is the %systemroot% variable.
If the server has been upgraded you would substitute windows for winnt
On a domain controller, run
secedit /configure /db c:\windows\temp\seceditsv.sdb /cfg
"c:\windows\security\templates\DC security.inf" /log c:\windows\temp\seceditsv.log
On a non-domain controller, run
"c:\windows\security\templates\setup security.inf" /log c:\windows\temp\seceditsv.log
Note: I have run the setup security.inf on a domain controller without experiencing any problems.
This sets NTFS permissions back to default.
You will then be able to start services using the Network Service.
Refer to the following article on what each security template contains.
816585 How to apply predefined security templates in Windows Server 2003
Have a good week.
Stephanie B. Doakes
Thank you ever so much for this article - it just resolved my issue.