Discussion:
Ultrasound - Access Denied on DFS GetDiskFreeSpaceEx
(too old to reply)
BenLimerkens
2006-05-18 16:35:02 UTC
Permalink
Hi all,

I hope someone can help me out. I think it's a great tool to monitor FRS for
both Sysvol and Dfs. I was able to spot and solve a couple of issues we were
having.

But anyways, I still have a problem ;-))
The problem is basically that we have set specific rights on our DFS share.
We have given Domain Users read&execute and Domain Admins full control. You
probably already see that in this way SYSTEM has no rights, meaning that the
Ultrasound provider is unable to gather data and reports an Access Denied.
This results in having no data regarding our DFS share which is a shame.

Is there a way and is this going to work, to have the usprovider.exe start
with a specific Domain account instead of SYSTEM? Then this provider would
have enough rights to read our DFS share and report data back to the
controller.

I hope it is clear and somebody can come to rescue,

Thanks,
Ben
Ned Pyle (MSFT)
2006-05-25 23:42:07 UTC
Permalink
Hi Ben,

I don't believe this is going to be possible, since the USProvider is
actually envoked via WMI (as SYSTEM) and is not directly configurable like a
normal Windows Service. I'm going to confirm with someone else tommorrow (or
Tuesday if they are OOF) but my review of source and the usprovider.mof are
not looking promising. Because this tool is deprecated, it's unlikely that
this can be changed going forward (FRS is dead - long live DFSR, basically).

Just out of curiosity - why has SYSTEM been stripped from permissions, and
how is replication still working? Have the computers been added to another
group that has rights?

I'll ping back here when I have more info,
--
Ned Pyle [Enterprise Platform Support - MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by BenLimerkens
Hi all,
I hope someone can help me out. I think it's a great tool to monitor FRS for
both Sysvol and Dfs. I was able to spot and solve a couple of issues we were
having.
But anyways, I still have a problem ;-))
The problem is basically that we have set specific rights on our DFS share.
We have given Domain Users read&execute and Domain Admins full control. You
probably already see that in this way SYSTEM has no rights, meaning that the
Ultrasound provider is unable to gather data and reports an Access Denied.
This results in having no data regarding our DFS share which is a shame.
Is there a way and is this going to work, to have the usprovider.exe start
with a specific Domain account instead of SYSTEM? Then this provider would
have enough rights to read our DFS share and report data back to the
controller.
I hope it is clear and somebody can come to rescue,
Thanks,
Ben
BenLimerkens
2006-05-26 07:15:02 UTC
Permalink
Hi Ned,

What we have tried in the meanwhile we have given Everyone Read access to
the root of the DFS folder on a couple of our F/P servers to see what
happens. This gives SYSTEM also Read rights and is apparently enough for
Ultrasound to inventory the complete DFS structure.
This rights change, however, means that it starts checking each file again
against the master DFS which takes time. It does not start copying each file,
but it checks it again. With 46GB/~375000 files it takes some time :-))

Why the rights for SYSTEM have been removed, I don't know. In 2003 we
migrated our Novell F/P servers to Windows 2000 and this was done together
with HP.
I was not involved in this migration project, so I don't know if this was
suggested by us or HP. But anyway, we have given two groups rights on the DFS
root. Domain Users get Read & Execute and another group gives Full Control to
the DFS and this group contains several Domain Admins (including me).
I don't see any problems with replication with this setup, everything works
fine.

One more question, can you perhaps tell me what the default rights are when
you set up a new DFS, or the rights it should have?

Thanks for your help so far,
Ben
Post by Ned Pyle (MSFT)
Hi Ben,
I don't believe this is going to be possible, since the USProvider is
actually envoked via WMI (as SYSTEM) and is not directly configurable like a
normal Windows Service. I'm going to confirm with someone else tommorrow (or
Tuesday if they are OOF) but my review of source and the usprovider.mof are
not looking promising. Because this tool is deprecated, it's unlikely that
this can be changed going forward (FRS is dead - long live DFSR, basically).
Just out of curiosity - why has SYSTEM been stripped from permissions, and
how is replication still working? Have the computers been added to another
group that has rights?
I'll ping back here when I have more info,
--
Ned Pyle [Enterprise Platform Support - MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by BenLimerkens
Hi all,
I hope someone can help me out. I think it's a great tool to monitor FRS for
both Sysvol and Dfs. I was able to spot and solve a couple of issues we were
having.
But anyways, I still have a problem ;-))
The problem is basically that we have set specific rights on our DFS share.
We have given Domain Users read&execute and Domain Admins full control. You
probably already see that in this way SYSTEM has no rights, meaning that the
Ultrasound provider is unable to gather data and reports an Access Denied.
This results in having no data regarding our DFS share which is a shame.
Is there a way and is this going to work, to have the usprovider.exe start
with a specific Domain account instead of SYSTEM? Then this provider would
have enough rights to read our DFS share and report data back to the
controller.
I hope it is clear and somebody can come to rescue,
Thanks,
Ben
Ned Pyle (MSFT)
2006-05-26 21:35:39 UTC
Permalink
Sounds good - at least no more errors.

Ah, on the *root folder* - I get you now. Hence why it's still replicating.
Cool. To answer your question, the default perms on a 2003 DFS Root folder
are:

Administrators - FC
Creator Owner - SP (FC on Subs)
System - FC
Users - R&E

I don't know of a scenario where removing SYSTEM from there would be useful
though. Sort of pointless at best, and breaks stuff (like you've seen) at
worst. Oh well.
--
Ned Pyle [Enterprise Platform Support - MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by BenLimerkens
Hi Ned,
What we have tried in the meanwhile we have given Everyone Read access to
the root of the DFS folder on a couple of our F/P servers to see what
happens. This gives SYSTEM also Read rights and is apparently enough for
Ultrasound to inventory the complete DFS structure.
This rights change, however, means that it starts checking each file again
against the master DFS which takes time. It does not start copying each file,
but it checks it again. With 46GB/~375000 files it takes some time :-))
Why the rights for SYSTEM have been removed, I don't know. In 2003 we
migrated our Novell F/P servers to Windows 2000 and this was done together
with HP.
I was not involved in this migration project, so I don't know if this was
suggested by us or HP. But anyway, we have given two groups rights on the DFS
root. Domain Users get Read & Execute and another group gives Full Control to
the DFS and this group contains several Domain Admins (including me).
I don't see any problems with replication with this setup, everything works
fine.
One more question, can you perhaps tell me what the default rights are when
you set up a new DFS, or the rights it should have?
Thanks for your help so far,
Ben
Post by Ned Pyle (MSFT)
Hi Ben,
I don't believe this is going to be possible, since the USProvider is
actually envoked via WMI (as SYSTEM) and is not directly configurable like a
normal Windows Service. I'm going to confirm with someone else tommorrow (or
Tuesday if they are OOF) but my review of source and the usprovider.mof are
not looking promising. Because this tool is deprecated, it's unlikely that
this can be changed going forward (FRS is dead - long live DFSR, basically).
Just out of curiosity - why has SYSTEM been stripped from permissions, and
how is replication still working? Have the computers been added to another
group that has rights?
I'll ping back here when I have more info,
--
Ned Pyle [Enterprise Platform Support - MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by BenLimerkens
Hi all,
I hope someone can help me out. I think it's a great tool to monitor
FRS
for
both Sysvol and Dfs. I was able to spot and solve a couple of issues we were
having.
But anyways, I still have a problem ;-))
The problem is basically that we have set specific rights on our DFS share.
We have given Domain Users read&execute and Domain Admins full control. You
probably already see that in this way SYSTEM has no rights, meaning
that
the
Ultrasound provider is unable to gather data and reports an Access Denied.
This results in having no data regarding our DFS share which is a shame.
Is there a way and is this going to work, to have the usprovider.exe start
with a specific Domain account instead of SYSTEM? Then this provider would
have enough rights to read our DFS share and report data back to the
controller.
I hope it is clear and somebody can come to rescue,
Thanks,
Ben
Ned Pyle (MSFT)
2006-05-26 21:40:05 UTC
Permalink
Dang - forgot to mention. Confirmed with the dev that provider can only be
run as system.
--
Ned Pyle [Enterprise Platform Support - MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by Ned Pyle (MSFT)
Sounds good - at least no more errors.
Ah, on the *root folder* - I get you now. Hence why it's still
replicating. Cool. To answer your question, the default perms on a 2003
Administrators - FC
Creator Owner - SP (FC on Subs)
System - FC
Users - R&E
I don't know of a scenario where removing SYSTEM from there would be
useful though. Sort of pointless at best, and breaks stuff (like you've
seen) at worst. Oh well.
--
Ned Pyle [Enterprise Platform Support - MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by BenLimerkens
Hi Ned,
What we have tried in the meanwhile we have given Everyone Read access to
the root of the DFS folder on a couple of our F/P servers to see what
happens. This gives SYSTEM also Read rights and is apparently enough for
Ultrasound to inventory the complete DFS structure.
This rights change, however, means that it starts checking each file again
against the master DFS which takes time. It does not start copying each file,
but it checks it again. With 46GB/~375000 files it takes some time :-))
Why the rights for SYSTEM have been removed, I don't know. In 2003 we
migrated our Novell F/P servers to Windows 2000 and this was done together
with HP.
I was not involved in this migration project, so I don't know if this was
suggested by us or HP. But anyway, we have given two groups rights on the DFS
root. Domain Users get Read & Execute and another group gives Full Control to
the DFS and this group contains several Domain Admins (including me).
I don't see any problems with replication with this setup, everything works
fine.
One more question, can you perhaps tell me what the default rights are when
you set up a new DFS, or the rights it should have?
Thanks for your help so far,
Ben
Post by Ned Pyle (MSFT)
Hi Ben,
I don't believe this is going to be possible, since the USProvider is
actually envoked via WMI (as SYSTEM) and is not directly configurable like a
normal Windows Service. I'm going to confirm with someone else tommorrow (or
Tuesday if they are OOF) but my review of source and the usprovider.mof are
not looking promising. Because this tool is deprecated, it's unlikely that
this can be changed going forward (FRS is dead - long live DFSR, basically).
Just out of curiosity - why has SYSTEM been stripped from permissions, and
how is replication still working? Have the computers been added to another
group that has rights?
I'll ping back here when I have more info,
--
Ned Pyle [Enterprise Platform Support - MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by BenLimerkens
Hi all,
I hope someone can help me out. I think it's a great tool to monitor
FRS
for
both Sysvol and Dfs. I was able to spot and solve a couple of issues
we
were
having.
But anyways, I still have a problem ;-))
The problem is basically that we have set specific rights on our DFS share.
We have given Domain Users read&execute and Domain Admins full
control.
You
probably already see that in this way SYSTEM has no rights, meaning
that
the
Ultrasound provider is unable to gather data and reports an Access Denied.
This results in having no data regarding our DFS share which is a shame.
Is there a way and is this going to work, to have the usprovider.exe start
with a specific Domain account instead of SYSTEM? Then this provider would
have enough rights to read our DFS share and report data back to the
controller.
I hope it is clear and somebody can come to rescue,
Thanks,
Ben
BenLimerkens
2006-05-29 07:37:01 UTC
Permalink
Ok Ned,

Thanks for the useful information. I'll check with my colleagues what we'll
do to fix it.

Ben
Post by Ned Pyle (MSFT)
Dang - forgot to mention. Confirmed with the dev that provider can only be
run as system.
--
Ned Pyle [Enterprise Platform Support - MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by Ned Pyle (MSFT)
Sounds good - at least no more errors.
Ah, on the *root folder* - I get you now. Hence why it's still
replicating. Cool. To answer your question, the default perms on a 2003
Administrators - FC
Creator Owner - SP (FC on Subs)
System - FC
Users - R&E
I don't know of a scenario where removing SYSTEM from there would be
useful though. Sort of pointless at best, and breaks stuff (like you've
seen) at worst. Oh well.
--
Ned Pyle [Enterprise Platform Support - MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by BenLimerkens
Hi Ned,
What we have tried in the meanwhile we have given Everyone Read access to
the root of the DFS folder on a couple of our F/P servers to see what
happens. This gives SYSTEM also Read rights and is apparently enough for
Ultrasound to inventory the complete DFS structure.
This rights change, however, means that it starts checking each file again
against the master DFS which takes time. It does not start copying each file,
but it checks it again. With 46GB/~375000 files it takes some time :-))
Why the rights for SYSTEM have been removed, I don't know. In 2003 we
migrated our Novell F/P servers to Windows 2000 and this was done together
with HP.
I was not involved in this migration project, so I don't know if this was
suggested by us or HP. But anyway, we have given two groups rights on the DFS
root. Domain Users get Read & Execute and another group gives Full Control to
the DFS and this group contains several Domain Admins (including me).
I don't see any problems with replication with this setup, everything works
fine.
One more question, can you perhaps tell me what the default rights are when
you set up a new DFS, or the rights it should have?
Thanks for your help so far,
Ben
Post by Ned Pyle (MSFT)
Hi Ben,
I don't believe this is going to be possible, since the USProvider is
actually envoked via WMI (as SYSTEM) and is not directly configurable like a
normal Windows Service. I'm going to confirm with someone else tommorrow (or
Tuesday if they are OOF) but my review of source and the usprovider.mof are
not looking promising. Because this tool is deprecated, it's unlikely that
this can be changed going forward (FRS is dead - long live DFSR, basically).
Just out of curiosity - why has SYSTEM been stripped from permissions, and
how is replication still working? Have the computers been added to another
group that has rights?
I'll ping back here when I have more info,
--
Ned Pyle [Enterprise Platform Support - MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/info/cpyright.htm
Post by BenLimerkens
Hi all,
I hope someone can help me out. I think it's a great tool to monitor
FRS
for
both Sysvol and Dfs. I was able to spot and solve a couple of issues
we
were
having.
But anyways, I still have a problem ;-))
The problem is basically that we have set specific rights on our DFS share.
We have given Domain Users read&execute and Domain Admins full
control.
You
probably already see that in this way SYSTEM has no rights, meaning
that
the
Ultrasound provider is unable to gather data and reports an Access Denied.
This results in having no data regarding our DFS share which is a shame.
Is there a way and is this going to work, to have the usprovider.exe start
with a specific Domain account instead of SYSTEM? Then this provider would
have enough rights to read our DFS share and report data back to the
controller.
I hope it is clear and somebody can come to rescue,
Thanks,
Ben
Loading...