Access problem and interesting Windows registry key

    The purpose of this article is to tell you about an interesting key in the Windows

    registry : HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA \ CrashOnAuditFail

    A couple of years ago, he gave me several hours of stressful troubleshoot access problems for public folders and, since neither then nor now I see an explanation this problem in the search, I decided to describe it. If you are wondering how it can turn out that you and your colleague have access rights, but only one of you can access the shared folder, then welcome to cat.

    The situation was very simple and did not promise anything interesting - we just started the transition to WIndows Server 2012 R2 and installed a new server under File Server and Pull Print solution from a third-party integrator. The problems began after, after a few days, this server crashed into the BSOD. Users began to complain that they could not access shared folders and print to printer queues published from this server. The incident came to the server team stack with a rather obscure story - one of the Service Desk agents who checked the incident confirmed that he also did not have access to shared folders, someone said that there was access. A similar situation was observed with printer queues. Access to both this and that worked perfectly for me.

    It should be noted that since the Pull Print solution was from a third-party company, by agreement with the customer, we supported the server itself, and for any problems with it, the integrator recommended a rebuild (there really was a very simple procedure and, coupled with automated server installation , the recovery was very fast, and since several servers shared this role, it was easy to bring one of them to rebuild). Therefore, thinking about 10-15 minutes about why the server can work so strange after BSOD, I reinstalled it. After the rebuild, everything naturally worked, but soon the server again fell into the BSOD and the problem manifested itself again.

    Now it has become clear that you can’t get rid of the rebuild and you need to understand why this happens. Tests showed that everyone in our team has access, but users do not. The hypothesis appeared immediately and, having checked it for those Service Desk agents, we were convinced that only those who have local admin rights can access shared folders. Looking for similar problems (limited access to shared resources) on the Internet, I did not find anything. But searching with more general parameters, I found this curious registry key:

    HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA \ CrashOnAuditFail

    HereYou can read about it. This key, set to "1" translates restricts access to the system in case of overflow Security Event Log. That is, if your log is full and the server crashes, the key gets the value “2”, which the administrator must change manually, and before that, he will not let anyone except the administrator enter the server.

    Now everything has become clear. In our previous builds this key was not used and had the value “0”. And in the new, the security guards decided to set it to "1". In addition, the Security Log settings on these servers, after installing the application, involved manual cleaning of events. Well, and then, everything is clear - the log is full, the server crashes to BSOD, rises and starts only admins. Everything is as it should be when using this key. All the difficulty with finding the source of the problem was only because we approached it from an unexpected direction - complaints about access to the shared folder and printer queue.

    I did not know about the existence of this key before I encountered this problem, but after reading about it in more detail, I found out that it can cause a variety of problems. I hope the information presented will help someone save time in the event of such a situation.

    Also popular now: