The Dangers of the Two Letter Account
I was debugging a customer issue in QGPM today and came across the strangest problem. Part of the issue involved using a service account with minimum permissions, so I duly followed the steps to set this up. This is something I should do more of, as you will soon see.
Once I finished setting up the service account, I tried to reproduce the customer issue, but kept getting an error from the GPMC API’s that we use internally to back up GPO’s. Something about a null reference exception. I started up GPMC using the runas command to run it under my service account credentials. Sure enough, I was unable to back up the working copy GPO that I had just created. I kept getting an "invalid pointer" error from GPMC. However, other GPO’s backed up just fine.
Certain I had made some kind of permissioning error, I carefully retraced my steps. Nothing I tried helped. Finally I turned to Google and all my questions were answered. I never would have figured it out on my own in a million years.
I like to use short account names in my testing domain. For my service account, I had used the name "sa". Seemed perfectly logical at the time.
When the QGPM service created the working copy GPO, the service account was naturally added to the access control list (ACL) for this GPO. When GPMC backs up the GPO, it backs up the ACL in a format called SDDL, which is essentially a string representation of the ACL.
It turns out, there is a list of two letter abbreviations that are used in SDDL to represent the well known groups in any Windows domain. You guessed it. "SA" is the abbreviation for the Schema Admins group. Any software that uses SDDL internally can potentially break if you have a two letter account name on that list.
Like I said, I never would have figured it out on my own. Thanks, Google!
Write a comment