Question : Server 2008 R2 DC File Permissions

Hi,

I am building a Server 2008 R2 domain controller (custom build with select computer components) and was making pretty good progress.  OS, hardware, drivers, Active Directory, Certificate of Authority, DHCP, DNS, WINS, Print Management, some patches, and a couple apps were installed and configured.  She was bluescreening routinely and I finally traced it down to one bad DIMM out of four (quality Corsair memory no doubt !).  I probably suffered 8-12 bluescreens before finally tracing the issue.  No file fragments or orphaned files or anything similar.  File structure is good.

After replacing the bad dimm there were no further bluescreens and everything seemed solid.  Then one day I installed a couple more updates and rebooted upon which chkdsk wanted to do a consistency check.  It then did the "replacing invalid security id with default security id for file number" for thousands of files.  This has never happened to me in my career.  I would then boot up to a black screen with only the mouse working and nothing else.

After some troubleshooting I finally pulled out my trusty older Winternals CD and changed the file permissions on all files to Everyone for Full Control.  It probably uses xcalcs.  I added the System account at Full Control as well.  This worked.  I booted up and it is once again working.

However, I know that this is not what Microsoft intended so I want to restore the default NTFS file permissions as well as anything else that should be restored back to the default.  I am trying to get some ideas on the best way to do this ?  Secedit and import certain security templates ?

Should I also disable chkdsk from future consistency checks ?  This sounds like a bug that was present until Server 2003 SP2.

One thing I notice is that I have a GPO that automatic updates is supposed to work only for admins not domain users and it does not appear to work for anyone right now.  Thank you !

Answer : Server 2008 R2 DC File Permissions

If you have a backup of the files youc an restore the security data but without a backup then you will not be able too.

On the system files you can run sfc /scannow.