GPP File Copy problem with new Windows updates?

[Mayo, Bill]

We suddenly have long-standing GPP file copy items failing with “access denied 0x80070005”. These have been in place for years. They were running under user context and permissions are definitely there—a manual copy works with no issues. After much troubleshooting, got them working again by removing the checkbox to run under user context and giving computer accounts permissions. In other words, works under computer security context but not user security context, although permissions are definitely allowing the latter.

 

The timing of this ties in quite neatly with applying the latest round of Microsoft updates on domain controllers. All my googling points back to things I understand pretty well, essentially “your file/share permissions aren’t correct”. I don’t right off find anything to suggest there has been a security change in updates that would cause this, but I am leaning that direction.

 

Is anybody else seeing this or is there some kind of known change with the way “run in logged-on user’s security context” with the latest Windows udpates?

 

Bill Mayo

[Jim Kennedy]

 

That was an issue in September’s KB5017308

 

The google link is not a slam, just collecting articles for you.

 

https://www.google.com/search?q=KB5017308+file+copy&sxsrf=ALiCzsbFzbO9SqnBVFmrqxZcYLVUm7JOPQ%3A1663855485958&ei=fWssY5yUOrimptQPjugX&ved=0ahUKEwjcxsrZyKj6AhU4k4kEHQ70BQAQ4dUDCA4&uact=5&oq=KB5017308+file+copy&gs_lcp=Cgdnd3Mtd2l6EAMyBQgAEKIEMgUIABCiBDIFCAAQogQ6BAgjECc6BQghEKsCSgQIQRgASgQIRhgAUABYwBRg2BZoAHABeACAAdEBiAGlDZIBBjAuMTAuMZgBAKABAqABAcABAQ&sclient=gws-wiz

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/e4b48612002d4dda854302916a84c0c4%40pittcountync.gov.

CAUTION: This email originated from outside of the organization. Do not click any links or open any attachments unless you trust the sender and know the content is safe.

[Jim Kennedy]

And the fix you discovered is what everyone is doing.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BL1PR11MB5509641F0ED91888E422C8ABF64E9%40BL1PR11MB5509.namprd11.prod.outlook.com.

[Mayo, Bill]

Jim, thank you so much. I obviously didn’t google the right terms and this is very helpful.

 

From: 'Jim Kennedy' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Thursday, September 22, 2022 10:07 AM
To: ntsys...@googlegroups.com
Subject: [ntsysadmin] RE: GPP File Copy problem with new Windows updates?

 

EXTERNAL EMAIL: This email originated from outside of Pitt County Government. Do not click any links or open any attachments unless you trust the sender and know the content is safe.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BL1PR11MB5509DA027606C863DADAC642F64E9%40BL1PR11MB5509.namprd11.prod.outlook.com.

[Markus Klocker]

Yesterday i figured out that "run in user context" doesn't really run in user context any more after installing 2022-09 CU.
It runs as SYSTEM. So any copy to any locations where SYSTEM has no permissions will fail.
So there are ways around the problem introduced but for me it's completely unclear if it will get fixed.

I think the issue was introduced by patching this: https://www.zerodayinitiative.com/advisories/ZDI-22-1285/

Hth
    Markus

--

[Hammer, Erich F]

Does that only apply to file copy operations, or do all "run in user context" group policy preference items now run in a SYSTEM context? For example, are drive mapping or printer deployment preferences set to run in user context also failing?

Thanks,
Erich


On Friday, September 23, 2022 at 01:47, Markus Klocker eloquently inscribed:

> <mailto:ntsysadmin+...@googlegroups.com> . To view this

> discussion on the web visit
> https://groups.google.com/d/msgid/ntsysadmin/e4b48612002d4dda8543029
> 16a84c0c4%40pittcountync.gov

> <https://groups.google.com/d/msgid/ntsysadmin/e4b48612002d4dda854302
> 916a84c0c4%40pittcountync.gov?utm_medium=email&utm_source=footer> .
>
>

[Michael Hartstein]

We have also found that Files no longer works when the destination is anything other than a “regular” local folder, even if “Run in logged in user’s security context” is NOT enabled. For example, copying a file to a redirected shell folder no longer works, nor does copying it to a user folder if the user profile is actually a user profile disk container (in our case ProfileUnity, but possibly also like UPD, FSLogix, etc.). It doesn’t even create 0-byte files like with a regular local destination if “Run in user’s security context” is enabled - just fails (errors visible in GPP trace log though).

Mike

To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB6416D32391C2E2714351785ECC519%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Markus Klocker]

I do not know.
Drivemappings are fine in our case also INI files seem to work.
But I won't give much about that.
Problem is that not patching doesn't fix the mess at this point in time.
So take the time and test as much as you can (I know if just the time
were at hand :)).

    Markus

[Michael Hartstein]

Looks like Microsoft added this to the “Known Issues” list on the patch pages over the weekend.

To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/1275a8cb-f127-822f-e68c-cc1b0c402750%40univie.ac.at.