Hopefully there is a debug routine that can be invoked to look at the api calls. Also is there an application account in which the application runs in that needs special or.elevated privs? On Apr 23, 2015 9:40 AM, "Webster" <[email protected]> wrote:
> Yep, Procmon was the first thing we did to troubleshoot. They found > nothing in the almost 10,000,000 lines. We have done Wireshark, Procmon, > their own internal code tracing stuff, sent them every log file, trace > file, dmp file and anything else I or they could think of. > > > > [I have no idea what I am saying in this next sentence] This vendor has > changed the management framework their software runs under that allowed > them to change their API and SDK so they can produce a “real” PowerShell > implementation. They really want me to test their new PoSH stuff. For some > strange reason they really want me to bless their new PoSH stuff. They also > want me to have a documentation script ready for this new product when it > is officially released using their new PoSH. Since I can’t get the product > to run, I can’t test the new PoSH stuff. > > > > The vendor has assigned three devs to work with me to get this issue > resolved. So I am really REALLY hoping it is not something in my AD that is > messing things up. They are spending a lot of resources to get this found > and fixed and I just hope the problem isn’t on my end. > > > > Thanks > > > > > > Webster > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Ed Ziots > *Sent:* Thursday, April 23, 2015 8:23 AM > *To:* [email protected] > *Subject:* Re: [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > Also.turn on file auditing when running.the application and look at its > processing via procmon > > This should help.debug.where the issue is if its a file permission problem > > Ed > > On Apr 23, 2015 9:19 AM, "Webster" <[email protected]> wrote: > > Yes, the PoSH session was elevated. Icacls is also being run from an > elevated command prompt. > > > > c:\>icacls.exe c:\ > > c:\ NT AUTHORITY\SYSTEM:(OI)(CI)(F) > > BUILTIN\Administrators:(OI)(CI)(F) > > BUILTIN\Users:(OI)(CI)(RX) > > BUILTIN\Users:(CI)(S,AD) > > BUILTIN\Users:(CI)(IO)(S,WD) > > CREATOR OWNER:(OI)(CI)(IO)(F) > > > > Successfully processed 1 files; Failed processing 0 files > > > > c:\> > > > > I could not get the Get-GPOReport to work so I just went into GPMC and did > a backup of all GPOs into that folder and that worked. > > > > I am working with a vendor on a new version of one of their products. We > can get the current version of their product to work fine in my lab but the > new version refuses to run. It will install and let me configure it but the > product refuses to run. The vendor wants to recreate my lab as close as > they can so they wanted the GPO Reports. Guess they will have to work with > the backup instead. Of course I use a PoSH script to create my lab’s AD > structure and I sent them that script. > > > > I am just hoping I don’t have an intrinsic issue with my lab’s AD that is > causing issues with this vendor’s software. When I attempted to see if I > could recreate the issue with their new product on Server 2008 R2, GPResult > reported an unknown SID for the 2008 R2 server of S-1-18-1. I found the > hotfix for that, applied it to the 2008 R2 server but it made no difference > in being able to run the new software. > > > > The vendor is unable to repro the issue in their lab but it is 100% > reproducible in mine. I am running all 2012 R2 servers, FFL is 2012 R2 and > I am also using SQL 2014 (no SP1, stand-alone SQL server, no HA). > > > > Thanks > > > > > > Webster > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Michael B. Smith > *Sent:* Thursday, April 23, 2015 8:04 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > Notice those are all inherited rights. > > > > Notice also that UAC comes into play. > > > > Is your PowerShell session elevated? > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Thursday, April 23, 2015 8:53 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > c:\>icacls.exe c:\gporeports > > c:\gporeports CREATOR OWNER:(OI)(CI)(IO)(F) > > LabADDomain\ctxadmin:(OI)(CI)(F) > > BUILTIN\Users:(OI)(CI)(F) > > NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) > > BUILTIN\Administrators:(I)(OI)(CI)(F) > > BUILTIN\Users:(I)(OI)(CI)(RX) > > BUILTIN\Users:(I)(CI)(S,AD) > > BUILTIN\Users:(I)(CI)(S,WD) > > LabADDomain\ctxadmin:(I)(F) > > CREATOR OWNER:(I)(OI)(CI)(IO)(F) > > > > Successfully processed 1 files; Failed processing 0 files > > > > But: > > > > Windows PowerShell > > Copyright (C) 2014 Microsoft Corporation. All rights reserved. > > > > PS C:\Windows\system32> get-gporeport -All -ReportType HTML -Path > c:\GPOReports > > get-gporeport : Access to the path 'c:\GPOReports' is denied. > > At line:1 char:1 > > + get-gporeport -All -ReportType HTML -Path c:\GPOReports > > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > + CategoryInfo : NotSpecified: (:) [Get-GPOReport], > UnauthorizedAccessException > > + FullyQualifiedErrorId : > System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.GetGpoReportCommand > > > > PS C:\Windows\system32> > > > > Thanks > > > > > > Webster > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Michael B. Smith > *Sent:* Thursday, April 23, 2015 7:49 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: trying to find a thread about missing > account(s) on drive/folder ACE > > > > What does icacls.exe say about the folder? > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Webster > *Sent:* Thursday, April 23, 2015 8:44 AM > *To:* [email protected] > *Subject:* [NTSysADM] trying to find a thread about missing account(s) on > drive/folder ACE > > > > I have run into an issue in my lab where I can create a folder but cannot > create any files in the folder after the folder is created. I thought I > remembered a thread on this list earlier this year about a similar issue > and it was a missing account that needed to be added back. I can’t find > that thread. > > > > My lab is 2 2012R2 DCs and FFL of 2012 R2. All my servers are 2012 R2. > > > > Thanks > > > > > > Webster > > > >
