Patches failed - cant change permissions via secpol

By ·

I am working in an AD win2k3 R2 SP2 domain with a PDCE and a DC.

I just tried to update patches on the DC logged in as a Domain admin and most of the patches failed. When I checked, it was insufficient privs.

I launched secpol to try to verify permisions for the account I was using and when I opened 'user rights assignment' there was an info note at the bottom of the pane that said "this setting is not compatible with computers running windows 2000" and the option to add users was grayed out. As I mentioned before, We're running Win2k3 R2 SP2.

This may (or may not) also tie in with a problem I discovered earlier in the day. I tried to ad a new GPO (from the PDCE) and got a "This security ID may not be assigned as the owner of this object"

Any ideas?

Thanks for your help.


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

possible fix

by In reply to Patches failed - cant cha ...


I found this reported fix on another forum. I'm not sure what it does and I
don't want to indiscriminately put it on my domain controller. Is anyone
familiar with this? Are these safe settings to apply?

Thanks for your input.

For all you people out there still having this problem (like I did recently),
here's the fix!
Just put this in a BAT file:

@echo off
echo Privilege fix by Vincent Koeman (RKTOOLS.EXE needs to be installed)
echo See: (First link)
ntrights.exe -u "%USERNAME%" +r SeAssignPrimaryTokenPrivilege
ntrights.exe -u "%USERNAME%" +r SeAuditPrivilege
ntrights.exe -u "%USERNAME%" +r SeBackupPrivilege
ntrights.exe -u "%USERNAME%" +r SeBatchLogonRight
ntrights.exe -u "%USERNAME%" +r SeChangeNotifyPrivilege
ntrights.exe -u "%USERNAME%" +r SeCreateGlobalPrivilege
ntrights.exe -u "%USERNAME%" +r SeCreatePagefilePrivilege
ntrights.exe -u "%USERNAME%" +r SeCreatePermanentPrivilege
ntrights.exe -u "%USERNAME%" +r SeCreateTokenPrivilege
ntrights.exe -u "%USERNAME%" +r SeDebugPrivilege
ntrights.exe -u "%USERNAME%" +r SeEnableDelegationPrivilege
ntrights.exe -u "%USERNAME%" +r SeImpersonatePrivilege
ntrights.exe -u "%USERNAME%" +r SeIncreaseBasePriorityPrivilege
ntrights.exe -u "%USERNAME%" +r SeIncreaseQuotaPrivilege
ntrights.exe -u "%USERNAME%" +r SeInteractiveLogonRight
ntrights.exe -u "%USERNAME%" +r SeLoadDriverPrivilege
ntrights.exe -u "%USERNAME%" +r SeLockMemoryPrivilege
ntrights.exe -u "%USERNAME%" +r SeMachineAccountPrivilege
ntrights.exe -u "%USERNAME%" +r SeNetworkLogonRight
ntrights.exe -u "%USERNAME%" +r SeProfileSingleProcessPrivilege
ntrights.exe -u "%USERNAME%" +r SeRemoteShutdownPrivilege
ntrights.exe -u "%USERNAME%" +r SeRestorePrivilege
ntrights.exe -u "%USERNAME%" +r SeSecurityPrivilege
ntrights.exe -u "%USERNAME%" +r SeServiceLogonRight
ntrights.exe -u "%USERNAME%" +r SeShutdownPrivilege
ntrights.exe -u "%USERNAME%" +r SeSyncAgentPrivilege
ntrights.exe -u "%USERNAME%" +r SeSystemEnvironmentPrivilege
ntrights.exe -u "%USERNAME%" +r SeSystemProfilePrivilege
ntrights.exe -u "%USERNAME%" +r SeSystemtimePrivilege
ntrights.exe -u "%USERNAME%" +r SeTakeOwnershipPrivilege
ntrights.exe -u "%USERNAME%" +r SeTcbPrivilege
echo Privileges fixed!

Good luck

>Specifically, we are getting 0x8007f004 errors.
[quoted text clipped - 22 lines]

Collapse -


by In reply to possible fix

At a suggestion from the nice folk at, I did a whoami /priv and /group on the account I was using.

The results seemed like the account was lacking a lot of privs to me, it only showed enabled privs for

SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled

even though it was a member of domain admins and enterprise admins.

For giggles I logged into a domain admin account that had been created on that domain, rather than one that had been migrated from our NT domain and given domain admin privs. I attempted to apply patches and this time it was SUCCESSFUL! And, I tried creating a GPO, and that was successful as well!

However when I ran WhoAmI /Priv, it showed the same privs as the other account had!

Does anyone know why this would be?


Related Discussions

Related Forums