Mark
10-03-2006, 03:00 AM
This is an OLD post, but it was never answered, and I ran into the same
issue. However, I found a solution, so I'm posting it so hopefully
others can benefit, too! (Or, who knows, I may forget, search for it
again in a few years, and find my own answer! :-)
The problem appears to be that the limited user attempting to run EPAL
doesn't have the necessary permissions to read the file hash for the
desired program out of Active Directory. I got this same error running
as a standard Domain User, but not a Domain Administrator. Maybe the
default AD permissions were different and this worked under Windows
2000, but I definitely reproduced this under Windows 2003.
Assuming I have a program called "XYZ", EPAL will create a group called
"XYZ Application Users" and a "service account" called "XYZ". The best
method to solving this appears to grant any members of "XYZ Application
Users" "read" permissions to the "XYZ" AD object. (Granting read to
all Domain Users for the "XYZ" account would also work, but the entire
need for EPAL is that many applications that don't properly respect the
rule of least privilege, so why should this be any different? :-)
Interestingly, it seems that the full "Read" permission is what is
required to make this properly work. (Selecting Read also forces "Read
Account Restrictions", "Read General Information", and all the other
generic sub-"Read" categories to be selected. Under advanced, this is
reflected as "Read All Properties".) I had thought that selecting only
"Read wbemPath" under the Properties tab for apply onto "account
objects" would be sufficient, seeing how the file hashes are supposedly
stored here, per the single MS page on this tool:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/epal.mspx
Best of luck!
--
Mark A. Ziesemer
www.ziesemer.com
Dan Salmon wrote:
> Content-Class: urn:content-classes:message
> From: "Dan Salmon" <dan.sal...@norstan.com>
> Sender: "Dan Salmon" <dan.sal...@norstan.com>
> Subject: EPAL errors
> Date: Wed, 9 Oct 2002 13:50:13 -0700
> Lines: 139
> Message-ID: <033401c26fd5$7711d610$2ae2c90a@phx.gbl>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Thread-Index: AcJv1XcPXXma4HM8SKKOSK5LpCsUHA==
> Newsgroups: microsoft.public.win2000.applications
> NNTP-Posting-Host: TKMSFTNGXA14 10.201.226.42
> Path: archiver1.google.com!news1.google.com!sn-xit-02!sn-xit-03!sn-xit-01!sn-xit-04!supernews.com!news.maxwell.syr.edu!newsfeed00.sul.t-online.de!t-online.de!tkmsftngp01!tkmsftngxs02!cpmsftngxa09
> We are testing EPAL, Microsoft Elevate Privileges
> Application Launcher, and we have a problem we cannot
> resolve. Within our environment, all users are set as
> power user on their workstations. Defrag will not run
> under power user. Using EPAL we have setup the proper
> groups and users. When the application is run using EPAL
> we receive this error, Could not retrieve file hash
> list. To determine if it was particular to this
> application we tried an application that power user can
> run, freecell.exe. We received the same error. This
> points us to a problem with EPAL or our configuration.
> The logs of the 2 instances are attached.
> Is there something we are missing or have overlooked?
> All installation work was done as domain admin
> equivalent.
> Thank you,
> Dan
> freecell.exe
> +Command line:
> verbose: Y
> setup: N
> admin: N
> file signiture: N
> profile: N
> domain:
> container: ou=EPAL,ou=Administrative
> program: c:\windows\system32\freecell.exe
> +Checking for event source registration
> +Getting path for current user
> +Current user path: LDAP://CN=user\,
> test.,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +OPERATION: Launch
> USER: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> PROGRAM: c:\windows\system32\freecell.exe
> RESULT:
> +DS Path: LDAP://ou=EPAL,ou=Administrative,DC=lab,DC=com
> +Retrieved DS object
> +Performing user operations
> +Getting path for current user
> +Current user path: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +Parsing out appname from path
> +Checking the group:
> LDAP://CN=freecell Application
> Users,ou=EPAL,ou=Administrative,DC=lab,DC=com
> for the member:
> LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +Comparing:
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> +FOUND -- LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> is a member of
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> +Parsing out appname from path
> +Current user is a member of freecell Application Users
> +Retrieving application user account
> +An original hash has been created
> +Retrieving object name
> +Parsing out appname from path
> +Retrieved app user account:
> LDAP://CN=freecell,ou=EPAL,ou=Administrative,DC=lab,DC=com
> +Retrieving file hash list
> Could not retrieve file hash list.
> Error: Unknown error 0x8000500D (-2147463155)
> ----------------------------------------------------------
> -----------------------------------------
> defrag.exe
> +Command line:
> verbose: Y
> setup: N
> admin: N
> file signiture: N
> profile: N
> domain:
> container: ou=EPAL,ou=Administrative
> program: c:\windows\system32\defrag.exe
> +Checking for event source registration
> +Getting path for current user
> +Current user path: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +OPERATION: Launch
> USER: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> PROGRAM: c:\windows\system32\defrag.exe
> RESULT:
> +DS Path: LDAP://ou=EPAL,ou=Administrative,DC=lab,DC=com
> +Retrieved DS object
> +Performing user operations
> +Getting path for current user
> +Current user path: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +Parsing out appname from path
> +Checking the group:
> LDAP://CN=defrag Application
> Users,ou=EPAL,ou=Administrative,DC=lab,DC=com
> for the member:
> LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +Comparing:
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> +FOUND -- LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> is a member of
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> +Parsing out appname from path
> +Current user is a member of defrag Application Users
> +Retrieving application user account
> +An original hash has been created
> +Retrieving object name
> +Parsing out appname from path
> +Retrieved app user account:
> LDAP://CN=defrag,ou=EPAL,ou=Administrative,DC=lab,DC=com
> +Retrieving file hash list
> Could not retrieve file hash list.
> Error: Unknown error 0x8000500D (-2147463155)
issue. However, I found a solution, so I'm posting it so hopefully
others can benefit, too! (Or, who knows, I may forget, search for it
again in a few years, and find my own answer! :-)
The problem appears to be that the limited user attempting to run EPAL
doesn't have the necessary permissions to read the file hash for the
desired program out of Active Directory. I got this same error running
as a standard Domain User, but not a Domain Administrator. Maybe the
default AD permissions were different and this worked under Windows
2000, but I definitely reproduced this under Windows 2003.
Assuming I have a program called "XYZ", EPAL will create a group called
"XYZ Application Users" and a "service account" called "XYZ". The best
method to solving this appears to grant any members of "XYZ Application
Users" "read" permissions to the "XYZ" AD object. (Granting read to
all Domain Users for the "XYZ" account would also work, but the entire
need for EPAL is that many applications that don't properly respect the
rule of least privilege, so why should this be any different? :-)
Interestingly, it seems that the full "Read" permission is what is
required to make this properly work. (Selecting Read also forces "Read
Account Restrictions", "Read General Information", and all the other
generic sub-"Read" categories to be selected. Under advanced, this is
reflected as "Read All Properties".) I had thought that selecting only
"Read wbemPath" under the Properties tab for apply onto "account
objects" would be sufficient, seeing how the file hashes are supposedly
stored here, per the single MS page on this tool:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/epal.mspx
Best of luck!
--
Mark A. Ziesemer
www.ziesemer.com
Dan Salmon wrote:
> Content-Class: urn:content-classes:message
> From: "Dan Salmon" <dan.sal...@norstan.com>
> Sender: "Dan Salmon" <dan.sal...@norstan.com>
> Subject: EPAL errors
> Date: Wed, 9 Oct 2002 13:50:13 -0700
> Lines: 139
> Message-ID: <033401c26fd5$7711d610$2ae2c90a@phx.gbl>
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
> Thread-Index: AcJv1XcPXXma4HM8SKKOSK5LpCsUHA==
> Newsgroups: microsoft.public.win2000.applications
> NNTP-Posting-Host: TKMSFTNGXA14 10.201.226.42
> Path: archiver1.google.com!news1.google.com!sn-xit-02!sn-xit-03!sn-xit-01!sn-xit-04!supernews.com!news.maxwell.syr.edu!newsfeed00.sul.t-online.de!t-online.de!tkmsftngp01!tkmsftngxs02!cpmsftngxa09
> We are testing EPAL, Microsoft Elevate Privileges
> Application Launcher, and we have a problem we cannot
> resolve. Within our environment, all users are set as
> power user on their workstations. Defrag will not run
> under power user. Using EPAL we have setup the proper
> groups and users. When the application is run using EPAL
> we receive this error, Could not retrieve file hash
> list. To determine if it was particular to this
> application we tried an application that power user can
> run, freecell.exe. We received the same error. This
> points us to a problem with EPAL or our configuration.
> The logs of the 2 instances are attached.
> Is there something we are missing or have overlooked?
> All installation work was done as domain admin
> equivalent.
> Thank you,
> Dan
> freecell.exe
> +Command line:
> verbose: Y
> setup: N
> admin: N
> file signiture: N
> profile: N
> domain:
> container: ou=EPAL,ou=Administrative
> program: c:\windows\system32\freecell.exe
> +Checking for event source registration
> +Getting path for current user
> +Current user path: LDAP://CN=user\,
> test.,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +OPERATION: Launch
> USER: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> PROGRAM: c:\windows\system32\freecell.exe
> RESULT:
> +DS Path: LDAP://ou=EPAL,ou=Administrative,DC=lab,DC=com
> +Retrieved DS object
> +Performing user operations
> +Getting path for current user
> +Current user path: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +Parsing out appname from path
> +Checking the group:
> LDAP://CN=freecell Application
> Users,ou=EPAL,ou=Administrative,DC=lab,DC=com
> for the member:
> LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +Comparing:
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> +FOUND -- LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> is a member of
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> +Parsing out appname from path
> +Current user is a member of freecell Application Users
> +Retrieving application user account
> +An original hash has been created
> +Retrieving object name
> +Parsing out appname from path
> +Retrieved app user account:
> LDAP://CN=freecell,ou=EPAL,ou=Administrative,DC=lab,DC=com
> +Retrieving file hash list
> Could not retrieve file hash list.
> Error: Unknown error 0x8000500D (-2147463155)
> ----------------------------------------------------------
> -----------------------------------------
> defrag.exe
> +Command line:
> verbose: Y
> setup: N
> admin: N
> file signiture: N
> profile: N
> domain:
> container: ou=EPAL,ou=Administrative
> program: c:\windows\system32\defrag.exe
> +Checking for event source registration
> +Getting path for current user
> +Current user path: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +OPERATION: Launch
> USER: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> PROGRAM: c:\windows\system32\defrag.exe
> RESULT:
> +DS Path: LDAP://ou=EPAL,ou=Administrative,DC=lab,DC=com
> +Retrieved DS object
> +Performing user operations
> +Getting path for current user
> +Current user path: LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +Parsing out appname from path
> +Checking the group:
> LDAP://CN=defrag Application
> Users,ou=EPAL,ou=Administrative,DC=lab,DC=com
> for the member:
> LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> +Comparing:
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> +FOUND -- LDAP://CN=user\,
> test,OU=Users,OU=NIS,OU=Corporate,DC=lab,DC=com
> is a member of
> {DC6A309E-0A00-4109-B963-FD4759F16034}
> +Parsing out appname from path
> +Current user is a member of defrag Application Users
> +Retrieving application user account
> +An original hash has been created
> +Retrieving object name
> +Parsing out appname from path
> +Retrieved app user account:
> LDAP://CN=defrag,ou=EPAL,ou=Administrative,DC=lab,DC=com
> +Retrieving file hash list
> Could not retrieve file hash list.
> Error: Unknown error 0x8000500D (-2147463155)