kamalblogs: Setting default object owner as Object creator in Window server 2008 for AIF in Dynamics Ax

[Blog bot]

Источник: http://kamalblogs.wordpress.com/2010...n-dynamics-ax/
==============

I hope if you are an AIF user and uses file system adapter, then the following lines might be very familiar to you “The default owner for objects created by members of the Administrators group must be set to the object creator.”

If you are using Window Server 2003 then you are saved as the msdn link herehttp://tinyurl.com/2u97wz8 can help you do that. But if you are having Windows server 2008 i think you will be in trouble. The concept behind this “default owner” has undergone some changes. We encountered this problem. As a saving grace our team was able to find out the way to fix this. I have given the procedure for this below follow it set default owner as object creator.

How to manage in windows server 2008 :

1. Log on to the Windows Server 2008 as a local administrator.
2. Make a backup copy of the c:\windows\inf\Sceregvl.inf file (security template containing system objects security policies) and save it somewhere safe and securely.
3. The Sceregvl.inf file was owned by the internal user TrustedInstaller and the local Administrators group only had ‘Read and execute’ and ‘Read’ only access to the file. So first, take ownership of the file and then gave it full access rights in order to edit it successfully:
Using windows explorer, secondary mouse click on the c:\windows\inf\Sceregvl.inf file and select ‘Properties’

• Click on the ‘Security’ tab
• Click the ‘Advanced’ button
• Click the ‘Owner’ tab
• Click the ‘Edit…’ button
• Under “Change Owner to:” box, highlight the ‘Administrators’ group and click on OK
• Read the Windows Security message window that pops up and click on
• Click OK to close “Advanced Security Settings for Sceregvl.inf” form.
• Click OK to close “Sceregvl.inf Properties” form.

4. Give the local Administrators group ‘Full Access’ to the Sceregvl.inf file:

• Using windows explorer secondary mouse click on the c:\windows\inf\Sceregvl.inf file and select ‘Properties’
• Click on the ‘Security’ tab
• Click on the ‘Edit…’ button
• Under “Group or User names:” box, highlight the ‘Administrators’ group
• Under the “Permissions for Administrators:” box select ‘Full control’, under the Allow column and click OK
• Click OK to close “Sceregvl.inf Properties” form.

5. Next we edit the c:\windows\inf\Sceregvl.inf file in Notepad and add in the missing setting as follows (in notepad first remove the ‘Word Wrap’ option in the ‘Format’ menu if it is selected):

Copy the line below which should all be in one big SINGLE line (with no preceding or trailing white spaces):
MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\nodefaultadminowner,3,”System objects: Default owner for objects created by members of the Administrators group”,3,0|Administrators group,1|Object Creator
Paste the line just BELOW the following line in the Sceregvl.inf file:
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy,4,%SCENoApplyLegacyAuditPolicy%,0

6. Save the changes to the Sceregvl.inf file and exit Notepad.
7. Reset the file ownership and access permissions for c:\windows\inf\Sceregvl.inf file back to the defaults:

• Using windows explorer secondary mouse click on the c:\windows\inf\Sceregvl.inf file and select ‘Properties’
• Click on the ‘Security’ tab
• Click on the ‘Advanced’ button
• Click on the ‘Owner’ tab
• Click on the ‘Edit…’ button
• Click ‘Other users or groups…’ button
• Click the ‘Locations…’ button
• Under “Locations:” box, highlight our local computer name and click on OK.
• n the “Select Users or Group” Form under “Enter the object name to select:” box type in NT SERVICE\TrustedInstaller and click OK
• In “Advanced Security Settings for Sceregvl.inf” window, under the “Change Owner to:” box highlight the ‘TrustedInstaller’ account and click on OK
• Read the Windows Security message form that is displayed and click on OK
• Click OK to close “Advanced Security Setting for Sceregvl.inf” form
• Click OK to close “Sceregvl.inf Properties” form.

8. Reset the file access permissions for c:\windows\inf\Sceregvl.inf file back to the defaults for the local administrators group:

• Using windows explorer secondary mouse click on the c:\windows\inf\Sceregvl.inf file and select ‘Properties’
• Click on the ‘Security’ tab
• Click on the ‘Edit…’ button
• Under “Group or User names:” box, highlight the ‘Administrators’ group
• Under the “Permissions for Administrators:” box and under the ‘Allow’ column DESELECT all the check boxes and select only ‘Read & execute’ and ‘Read’ and click OK
• Click OK to close “Sceregvl.inf Properties” form.

9. Next we re-register the client side extension for group policy scecli.dll by running an elevated command prompt and running: REGSVR32 scecli.dll
The regsvr32 message window is displayed. Ensure it was successfully registered and click on OK
10. We are now able to view the Group Policy template “System objects: Default owner for objects created by members of the Administrators group” in the ‘Local Security Policy’ Administrative Tools MMC (or if it is a domain controller then the template will be visible in the ‘Domain Controller Security Policy’ Administrative Tools MMC). We were able to set the policy value to “Object Creator” just like we could on a Windows Server 2003 system. How to set the security policy, see the instructions for windows 2003 server.





Источник: http://kamalblogs.wordpress.com/2010...n-dynamics-ax/

[Vadik]

Another one not so cool but much more simple and secure solution would be to avoid using administrative accounts for the processes creating files in AIF inbound folder. Same rule can be applied to any AX service account