none
Unable to change DEP setting with Domain Previledge User

    Question

  • Hello,

    I have user who is part of domain admin group. With the user login on domain controller i am able to change the Data Execution Prevention settings and can add exception but at the same time if i logged in with the same user on member server to change the DEP setting it wont allow me to change even the DEP settings are grayed out. below is the screen shot for your reference

    I Have tried by adding mention user as part of local administrators group but not working.

    My DEP level is set to /nonexecute=optout 

    request your help on the same.


    Thanks & Regards, Abhijit Deshpande 


    Saturday, March 30, 2013 9:12 AM

Answers

  • Hi Abhijit,

    You can certainly ask them to make the change as a workaround, but it'd obviously be nice to resolve the underlying issue. That said, I don't know what else to suggest at this point in time.

    The fact that you're saying this is also an issue on Server 2003 throws more doubt into my mind as the UAC was only introduced with Server 2008 and Vista, i.e. there's no such component on Server 2003.

    Also, that the boot configuration changed from being stored in the boot.ini file to the configuration store between Server 2003 and Server 2008 only serves to highlight the degree of separation between the XP/2003 and Vista/Server 2008 generations.

    I'm sorry I couldn't be of assistance on this topic, but do let us know if you manage to resolve the issue.

    Cheers,
    Lain

    Monday, April 01, 2013 9:37 AM

All replies

  • Hi Abhijit,

    Does your hardware support DEP, and if so, is it enabled in the BIOS? On Intel, this will be referred to as "execute disable "(XD), while on AMD this will be referred to as "no execute" (NX).

    If you're unsure, try running Coreinfo.exe from Mark Russinovich, which you can download from here. Use the "coreinfo -f" switch. If it has an asterisk (*) next to the NX entry, your hardware supports it, in which case something else is the issue.

    Cheers,
    Lain

    Saturday, March 30, 2013 10:16 AM
  • Hi Lain,

    Thanks for your reply. I have checked and DEP is supported by Hardware. Before week it was working and now suddenly it stops working.

    I am able to change the setting in Administrator login but not with user who is the member of domain admin group or administrators group.


    Thanks & Regards,

    Abhijit Deshpande 

    Saturday, March 30, 2013 10:25 AM
  • Hi Abhijit,

    That makes it sound like someone's stripped the rights out. Try launching a command prompt and running the following command:

    whoami /groups | findstr /i admini

    If you are a local administrator, you will get a line back that begins with "BUILTIN\Administrators". If you do not see this line, then your account no longer has locally administrative rights, despite being in the Domain Admins group.

    Cheers,
    Lain

    Saturday, March 30, 2013 10:39 AM
  • Hi Lain,

    I executed the command and got below output.

    C:\Users\test>whoami /groups | findstr /i admini

    BUILTIN\Administrators                        Alias            S-1-5-32-544
                                   Group used for deny only


    Thanks & Regards, Abhijit Deshpande 


    Saturday, March 30, 2013 10:44 AM
  • Hi Abhijit,

    My apologies. I should have asked you to ensure you launched that command prompt as an administrator. The "Group used for deny only" should not be there.

    Cheers,
    Lain

    Saturday, March 30, 2013 10:50 AM
  • Hi Lain,

    Please find the below output

    C:\Windows\system32>whoami /groups | findstr /i admini


    BUILTIN\Administrators                        Alias            S-1-5-32-544
                                   Mandatory group, Enabled by default, Enabled grou
    p, Group owner

    C:\Windows\system32>


    Thanks & Regards, Abhijit Deshpande 


    Saturday, March 30, 2013 10:54 AM
  • Hi Abhijit,

    Okay, everything looks in order. The only suggestion I have is to try launching the control panel applet directly just to confirm you're not dealing with a UAC behaviour configured via group policy, or something of that nature.

    From that same elevated command prompt, try running the following and seeing if the DEP radio buttons become active:

    sysdm.cpl

    That should open the System control panel applet, from which you can navigate to the Advanced tab, Performance section, Advanced button and finally the DEP tab.

    Cheers,
    Lain

    Saturday, March 30, 2013 11:52 AM
  • Hi Lain,

    Have tried the option suggested by you but still the same situation. It still grayed out and only working in administrator login.


    Thanks & Regards, Abhijit Deshpande 


    Saturday, March 30, 2013 12:00 PM
  • Hi Abhijit,

    I've got to admit, I'm pretty much all out of ideas now that you've run through those diagnostics. The only thing coming to mind at the moment is to check the registry permissions on the key that contains the DEP setting.

    Run regedit.exe as an administrator and check the permissions on the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\NoExecuteState

    The local Administrators group should be in there with full control for that key and all subkeys.

    I had a look at the group policy settings that relate to the UAC behaviour again, and I can't see any there that would result in the behaviour that you're seeing. You can have a look yourself in the local group policy editor under:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    Then look for the settings at the end of the list that begin with "User Account Control". As a point of reference, I have these defaults on a Server 2008 R2 host:

    UAC defaults

    Cheers,
    Lain

    Saturday, March 30, 2013 12:21 PM
  • Hi lain,

    Thanks for your help. As suggested local admin has full control for the key.

    well just want to confirm can we execute DEP by domain user who is the part of domain admin group? because it says you must be an administrator to change the setting. that is something confusing for me.


    Thanks & Regards, Abhijit Deshpande 


    Saturday, March 30, 2013 12:28 PM
  • Hi Abhijit,

    Generally, yes. By default, the Domain Admins group is a member of the local Administrators group on a member server (member servers are implicitly domain-joined, as opposed to a workgroup or stand-alone server).

    Furthermore, you've confirmed above with the "whoami" command that your account does indeed have the administrative bit set in your logon token, so there shouldn't be any issue with the Domain Admins group being present in the local Administrators group.

    As a cross reference, what you could do is try two other tests:

    1. Create a new local user on the member server, add it into the local Administrators group, log on as that account and see if the DEP radio buttons are available;
    2. Grab a regular domain user account that is not in any privileged groups such as Domain Admins, add that to the local Administrators group on the member server, log on as that user and see if the DEP options are available.

    Also, are any other options disabled in the system control panel applet?

    Cheers,
    Lain

    Saturday, March 30, 2013 1:04 PM
  • Hello,

    have you tried the command line way with an elevated command prompt(RUN as Administrator):

    "bcdedit.exe /set {current} nx AlwaysOff" and to turn on use "bcdedit.exe /set {current} nx AlwaysOn"


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Sunday, March 31, 2013 4:51 PM
  • Hi meinolf

    I have already tried with the said command. Also as suggested by lain, have tried by creating local user and made as a part of administrators group but still not able to do changes. It still grayed out.

    Well i asked application owner to login with local administrator and if required change the settings. 


    Thanks & Regards,

    Abhijit Deshpande 


    Monday, April 01, 2013 6:11 AM
  • Hi Abhijit,

    If it's still happening with other local accounts then it feels in my mind that you're waging war against the UAC - specifically the admin approval mode.

    Perhaps you can do me a favour and check the following setting. Go to:

    • Control Panel\User Accounts\Change User Account Control settings.
    • Ensure the slider is set to the second position from the top, labelled "Default - Notify me only when programs try to make changes to my computer".
    • Accept those settings and close out of the Control Panel.

    Then try going back into the DEP settings area. You should be prompted this time around (so long as you're not using the local or domain Administrator account) by the UAC when opening the system properties, and if that happens, I'm hoping you also see the options become available within the DEP dialog.

    Cheers,
    Lain

    Monday, April 01, 2013 6:55 AM
  • Hi Lain,

    PFA UAC settings for your information. 

    The settings is already there from starting. But still the option is grayed out. And just came to know that the option is not working on 2K3 member servers also though the user is part of administrators group it is only working in administrator login only.

    Well as i said i have asked team to login with local admin and change the settings when ever required.


    Thanks & Regards, Abhijit Deshpande 


    Monday, April 01, 2013 7:37 AM
  • Hi Abhijit,

    You can certainly ask them to make the change as a workaround, but it'd obviously be nice to resolve the underlying issue. That said, I don't know what else to suggest at this point in time.

    The fact that you're saying this is also an issue on Server 2003 throws more doubt into my mind as the UAC was only introduced with Server 2008 and Vista, i.e. there's no such component on Server 2003.

    Also, that the boot configuration changed from being stored in the boot.ini file to the configuration store between Server 2003 and Server 2008 only serves to highlight the degree of separation between the XP/2003 and Vista/Server 2008 generations.

    I'm sorry I couldn't be of assistance on this topic, but do let us know if you manage to resolve the issue.

    Cheers,
    Lain

    Monday, April 01, 2013 9:37 AM
  • Hi Lain,

    It was really nice troubleshooting and the steps i learn from you. Thanks for your support.  I also working on it toward closure. If i got any solution will definitely post in this thread.


    Thanks & Regards,

    Abhijit Deshpande


    Monday, April 01, 2013 9:52 AM