Non-Domain Admin Unable to Modify Quota after Server Hardening

Problem…

After Server Hardening, one will usually encounter some problem especially some old software is not able to execute by non-administrator. This is one scenario I encountered long time ago which I think I should share as I do not find this solution online.

Under my environment, we are still using Veritas Storage Exec 5.2 or 5.3 to manage the quota; and sad to say that the Domain Controller box is also File Server! After the server is hardened, we found out that non-domain admin engineer is not able to modify the quota policy anymore!

When we were testing to modify the quota using non-domain admin account, the error message encountered is “A required privilege is not held by the client”

image

How to resolve?

Since the server is hardened using Microsoft Security Configuration Wizard, we look into solving it through configuring the group policy object using gpedit.

Side track abit…. If one were to read the Storage Exec setup guide, you may add SCWRITE group to the local administrator group. This way, anyone who is in the group will have the rights to amend the quota policy.. However, under my scenario, I am not able to do so as the Server is also a Domain Controller! So, what we found out is to add SCWrite group to the following entries under GPO under Default Domain Controller Group Policy:

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Adjust memory quotas for a process.

image

Not to forget, I have to add the engineer domain account under the SCWrite group and the problem is solved!

By the way, you will have to follow the guide to grant rights to the program folders of the storage exec and the registry key too!

Now.. I wonder will FSRM encounter this issue too?

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s