Folder owner should not be able to change permissions / OWNER Rights explained for NTFS security

Folder owner should not be able to change permissions / OWNER Rights explained for NTFS security

Some time ago we had a interesting discussion concerning ownership of folder which were created by regular users. Standard behaviour: as user who has created the folder you have FULLACCESS to it and you are able to change permissions as you like.

Aim: if an user creates a folder he or she should not have fullaccess to this folder and should not be able to change permissions.

As a short review I describe the default behaviour in NTFS.

First have a look on default permission of a share on a windows fileserver (no changes applied)

The Creator Owner permission allows user to get fullaccess to created folders. So if an user creates a new folder under this share he is given fullaccess to it and he can also modify and delete NTFS permissions. See screenshot:

After this step I created another subfolder in testfolder01 with another user (user09)

As you can see no other user (expect Administrators) have permissions on this folder, now I delete also administrators. So even as Domainadmin I’m not able to access this folder via share.

one way to get access again is to browse directly from the server to folder an regain it as owner.

Sometimes you want to know who changed permission or created this folder before you overwrite this peace of information. So here is the cmdlet in powershell to display the current owner if you do not see it in explorer.

get-acl -Path "C:\Shares\share01\testordner01\testunterordner01" | select path, Owner -expand access

This is worst case and should not happen in productive environments, let’s have a look on the solution for this.

KEYWORD: OWNER-Rights

Unfortunately I did not find lots of information from Microsoft about this important topic (if someone knows a link share it in the comment section please)

the only thing I found was this link of known SIDs LINK

  • SID: S-1-3-4 Name: Owner Rights
    Description: A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.

NOTE: operating systems with other languages differ so there is no OWNERRIGHTS for example in german it is “Eigentümerrechte”

If you want to prevent users interaction in permission allocation you should completely remove “Creator Owner” ,replace it with “Owner Rights” and change FULLACCESS to MODIFY on the top folder (in my case Shares)

Have a look on my screenshot

Every folder should get this change and now we can check the result.

Newly created folder inside this share with owner rights implemented

When I want to change permissions with user09 it is not possible although I’m the owner. User09 also is not allowed to disable inheritance so nothing happens the user should find this “secret” security setting.

Conclusion: OwnerRights are one step to better NTFS security so users can not change permissions on created folders.

NOTE: even the creator owner permission is changed to “modify” it is possible for the user to change permission. This group should be completely remove, otherwise owner rights is not working properly.

If there are any further questions leave me a comment or write an e-mail.

Have fun.

Well-known security identifiers in Windows operating systems

Applies to: Windows 10, version 2004, all editionsWindows Server, version 2004, all editionsWindows Server, version 1909, all editions More

Summary


A security identifier (SID) is a unique value of variable length that is used to identify a security principal (such as a security group) in Windows operating systems. SIDs that identify generic users or generic groups is particularly well-known. Their values remain constant across all operating systems.

This information is useful for troubleshooting issues that involve security. It is also useful for troubleshooting display issues in the Windows access control list (ACL) editor. Windows tracks a security principal by its SID. To display the security principal in the ACL editor, Windows resolves the SID to its associated security principal name. 

Note

This article describes circumstances under which the ACL editor displays a security principal SID instead of the security principal name.

Over time, this set of well-known SIDs has grown. The tables in this article organize these SIDs according to which version of Windows introduced them.

Well-known SIDs (all versions of Windows)


All versions of Windows use the following well-known SIDs.

SIDNameDescription
S-1-0Null AuthorityAn identifier authority.
S-1-0-0NobodyNo security principal.
S-1-1World AuthorityAn identifier authority.
S-1-1-0EveryoneA group that includes all users, even anonymous users and guests. Membership is controlled by the operating system.

Note
By default, the Everyone group no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2).
S-1-2Local AuthorityAn identifier authority.
S-1-2-0LocalA group that includes all users who have logged on locally.
S-1-3Creator AuthorityAn identifier authority.
S-1-3-0Creator OwnerA placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object’s creator.
S-1-3-1Creator GroupA placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s creator. The primary group is used only by the POSIX subsystem.
S-1-3-4Owner RightsA group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
S-1-4Non-unique AuthorityAn identifier authority.
S-1-5NT AuthorityAn identifier authority.
S-1-5-1DialupA group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
S-1-5-2NetworkA group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
S-1-5-3BatchA group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
S-1-5-4InteractiveA group that includes all users that have logged on interactively. Membership is controlled by the operating system.
S-1-5-5-X-YLogon SessionA logon session. The X and Y values for these SIDs are different for each session.
S-1-5-6ServiceA group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
S-1-5-7AnonymousA group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
S-1-5-9Enterprise Domain ControllersA group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
S-1-5-10Principal SelfA placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.
S-1-5-11Authenticated UsersA group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
S-1-5-12Restricted CodeThis SID is reserved for future use.
S-1-5-13Terminal Server UsersA group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
S-1-5-14Remote Interactive LogonA group that includes all users who have logged on through a terminal services logon.
S-1-5-17This OrganizationAn account that is used by the default Internet Information Services (IIS) user.
S-1-5-18Local SystemA service account that is used by the operating system.
S-1-5-19NT AuthorityLocal Service
S-1-5-20NT AuthorityNetwork Service
S-1-5-21domain-500AdministratorA user account for the system administrator. By default, it is the only user account that is given full control over the system.
S-1-5-21domain-501GuestA user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
S-1-5-21domain-502KRBTGTA service account that is used by the Key Distribution Center (KDC) service.
S-1-5-21domain-512Domain AdminsA global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
S-1-5-21domain-513Domain UsersA global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
S-1-5-21domain-514Domain GuestsA global group that, by default, has only one member, the domain’s built-in Guest account.
S-1-5-21domain-515Domain ComputersA global group that includes all clients and servers that have joined the domain.
S-1-5-21domain-516Domain ControllersA global group that includes all domain controllers in the domain. New domain controllers are added to this group by default.
S-1-5-21domain-517Cert PublishersA global group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
S-1-5-21root domain-518Schema AdminsA universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
S-1-5-21root domain-519Enterprise AdminsA universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
S-1-5-21domain-520Group Policy Creator OwnersA global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
S-1-5-21domain-526Key AdminsA security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
S-1-5-21domain-527Enterprise Key AdminsA security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
S-1-5-21domain-553RAS and IAS ServersA domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
S-1-5-32-544AdministratorsA built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
S-1-5-32-545UsersA built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
S-1-5-32-546GuestsA built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer’s built-in Guest account.
S-1-5-32-547Power UsersA built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
S-1-5-32-548Account OperatorsA built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
S-1-5-32-549Server OperatorsA built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
S-1-5-32-550Print OperatorsA built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
S-1-5-32-551Backup OperatorsA built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
S-1-5-32-552ReplicatorsA built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
S-1-5-32-582Storage Replica AdministratorsA built-in group that grants complete and unrestricted access to all features of Storage Replica.
S-1-5-64-10NTLM AuthenticationAn SID that is used when the NTLM authentication package authenticated the client.
S-1-5-64-14SChannel AuthenticationAn SID that is used when the SChannel authentication package authenticated the client.
S-1-5-64-21Digest AuthenticationAn SID that is used when the Digest authentication package authenticated the client.
S-1-5-80NT ServiceAn NT Service account prefix.

SIDs added by Windows Server 2003 and later versions


When you add a domain controller that runs Windows Server 2003 or a later version to a domain, Active Directory adds the security principals in the following table.

Note

The Windows ACL editor may not display these security principles by name. Active Directory does not resolve these SIDs to their corresponding names until the primary domain controller (PDC) emulator flexible single operations master (FSMO) role transfers to or is seized by a domain controller that runs Windows Server 2003 or later.

SIDNameDescription
S-1-3-2Creator Owner ServerThis SID is not used in Windows 2000.
S-1-3-3Creator Group ServerThis SID is not used in Windows 2000.
S-1-5-8ProxyThis SID is not used in Windows 2000.
S-1-5-15This OrganizationA group that includes all users from the same organization. Only included with AD accounts and only added by a Windows Server 2003 or later domain controller.
S-1-5-32-554Builtin\Pre-Windows 2000 Compatible AccessAn alias added by Windows 2000. A backward compatibility group which allows read access on all users and groups in the domain.
S-1-5-32-555Builtin\Remote Desktop UsersAn alias. Members in this group are granted the right to log on remotely.
S-1-5-32-556Builtin\Network Configuration OperatorsAn alias. Members in this group can have some administrative privileges to manage configuration of networking features.
S-1-5-32-557Builtin\Incoming Forest Trust BuildersAn alias. Members of this group can create incoming, one-way trusts to this forest.
S-1-5-32-558Builtin\Performance Monitor UsersAn alias. Members of this group have remote access to monitor this computer.
S-1-5-32-559Builtin\Performance Log UsersAn alias. Members of this group have remote access to schedule logging of performance counters on this computer.
S-1-5-32-560Builtin\Windows Authorization Access GroupAn alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.
S-1-5-32-561Builtin\Terminal Server License ServersAn alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.
S-1-5-32-562Builtin\Distributed COM UsersAn alias. A group for COM to provide computerwide access controls that govern access to all call, activation, or launch requests on the computer.

SIDs added by Windows Server 2008 and later versions


When you add a domain controller that runs Windows Server 2008 or a later version to a domain, Active Directory adds the security principals in the following table.

Note

The Windows ACL editor may not display these security principles by name. Active Directory does not resolve these SIDs to their corresponding names until the PDC emulator FSMO role transfers to or is seized by a domain controller that runs Windows Server 2008 or later.

SIDNameDescription
S-1-2-1Console LogonA group that includes users who are logged on to the physical console.

Note
Added in Windows 7 and Windows Server 2008 R2.
S-1-5-21domain-498Enterprise Read-only Domain ControllersA universal group. Members of this group are read-only domain controllers in the enterprise.
S-1-5-21domain-521Read-only Domain ControllersA global group. Members of this group are read-only domain controllers in the domain.
S-1-5-21domain-571Allowed RODC Password Replication GroupA domain local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
S-1-5-21domain-572Denied RODC Password Replication GroupA domain local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.
S-1-5-32-569Builtin\Cryptographic OperatorsA built-in local group. Members are authorized to perform cryptographic operations.
S-1-5-32-573Builtin\Event Log ReadersA built-in local group. Members of this group can read event logs from local computer.
S-1-5-32-574Builtin\Certificate Service DCOM AccessA built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.
S-1-5-80-0NT Services\All ServicesA group that includes all service processes that are configured on the system. Membership is controlled by the operating system.

Note
Added in Windows Server 2008 R2.
S-1-5-80-0All ServicesA group that includes all service processes configured on the system. Membership is controlled by the operating system.

Note
Added in Windows Vista and Windows Server 2008.
S-1-5-83-0NT Virtual Machine\Virtual MachinesA built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the Create Symbolic Links right (SeCreateSymbolicLinkPrivilege), and also the Log on as a Service right (SeServiceLogonRight).

Note
Added in Windows 8 and Windows Server 2012.
S-1-5-90-0Windows Manager\Windows Manager GroupA built-in group that is used by the Desktop Window Manager (DWM). DWM is a Windows service that manages information display for Windows applications.

Note
Added in Windows Vista.
S-1-16-0Untrusted Mandatory LevelAn untrusted integrity level.
Note
Added in Windows Vista and Windows Server 2008.
S-1-16-4096Low Mandatory LevelA low integrity level.

Note
Added in Windows Vista and Windows Server 2008.
S-1-16-8192Medium Mandatory LevelA medium integrity level.

Note Added in Windows Vista and Windows Server 2008.
S-1-16-8448Medium Plus Mandatory LevelA medium plus integrity level.

Note
Added in Windows Vista and Windows Server 2008.
S-1-16-12288High Mandatory LevelA high integrity level.

Note
Added in Windows Vista and Windows Server 2008.
S-1-16-16384System Mandatory LevelA system integrity level.

Note
Added in Windows Vista and Windows Server 2008.
S-1-16-20480Protected Process Mandatory LevelA protected-process integrity level.

Note
Added in Windows Vista and Windows Server 2008.
S-1-16-28672Secure Process Mandatory LevelA secure process integrity level.

Note
Added in Windows Vista and Windows Server 2008.

SIDs added by Windows Server 2012 and later versions


When you add a domain controller that runs Windows Server 2012 or a later version to a domain, Active Directory adds the security principals in the following table.

Note

The Windows ACL editor may not display these security principles by name. Active Directory does not resolve these SIDs to their corresponding names until the PDC emulator FSMO role transfers to or is seized by a domain controller that runs Windows Server 2012 or later.

SIDNameDescription
S-1-5-21-domain-522Cloneable Domain ControllersA global group. Members of this group that are domain controllers may be cloned.
S-1-5-32-575Builtin\RDS Remote Access ServersA built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.
S-1-5-32-576Builtin\RDS Endpoint ServersA built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.
S-1-5-32-577Builtin\RDS Management ServersA builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.
S-1-5-32-578Builtin\Hyper-V AdministratorsA built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.
S-1-5-32-579Builtin\Access Control Assistance OperatorsA built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.
S-1-5-32-580Builtin\Remote Management UsersA built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Capability SIDs


Windows 8 introduced capability security identifiers (SIDs). A capability SID identifies a capability in a unique and immutable manner. A capability represents an unforgetable token of authority that grants access to resources (such as documents, a camera, locations, and so forth) to Universal Windows Applications. An app that “has” a capability is granted access to the associated resource. An app that “does not have” a capability is denied access to the resource.

All capability SIDs that the operating system is aware of are stored in the Windows registry in the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities

This subkey also contains any capability SID that is added by first-party or third-party applications.

All Capability SIDs begin at “S-1-15-3.”

Important

Active Directory does not resolve capability SIDs to names. This behavior is by design.


How to find out who changed the Folder permissions

Native auditing

1. Setting up the file’s audit system access control list (SACL):

  • Select the file you want to audit and go to Properties. Select the Security tab → Advanced → Auditing → Add. 
  • Select Principal: Everyone; Type: All; Applies to: This folder, sub-folders, and files.
  • Click  Show Advanced Permissions, select Change permissions and Take ownership.

2. Setting up your domain’s audit policy

  • Go to your Group Policy management console, and edit the Default Domain Policy.
  • Go to Computer Configuration → Policies → Windows Settings → Security Settings.
  • Go to Local Policies → Audit Policy: Audit object access. Select both Success and Failures.
  • Go to Advanced Audit Policy Configuration → Audit Policies → Object Access:
    • Audit File System: Select both Success and Failures.
    • Audit Handle Manipulation: Select both Success and Failures.
  • Go to Event Log and define the:
    • Maximum security log size to 1GB.
    • Retention method for security log to Overwrite events as needed.

3. Checking for the event on your Event Viewer

Go to the Windows Security logs, and search for:

  • Event ID 4663
  • Task Category: File System or Removable Storage

The Account Name and Security ID will show you who changed the file’s/folder’s owner or permissions.

Dell Dock Resolution Issue

  1. Press Windows + R
  2.     Type regedit and hit ENTER.
  3.     If a message pops up saying “do you want to allow this app to make changes to your device” click YES.
  4.     A window called “Registry Editor” should show.
  5.     Locate this three registry keys:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Connectivity
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\ScaleFactors
  6.     After finding them right click on each folder and select delete than yes.

SBS Server 2011 – Renew Expired Web Server SSL Certificate

If you have found yourself with an expired or lapsed security certificated for your IIS or Exchange server web services, the below steps will guide you through a successfull renewal with no hassle on the client workstations.

First you will need to update your certificate templates in order to grant permission for the current logged in user on the server to allow renewal of the certificate.

Open MMC

Add/Remove snapin or Ctrl+M

Add Certificate Templates

Add Certificates, choosing Computer Account , Local Computer

Add Certificate Authority, Local Computer, Click Ok

Click Certificate Templates, scroll down to Web Server, Right click , Properties

Click Security, Add logged in user, assign Read/Write/Enroll. Do the Same for Authenticated Users

If your certificate has expired, then change the date back to the day before expiry

Still in the MMC, now choose Certificate Authority

We now need to renew the CA certificate for the date on the current PC – Right Click Server name, All Tasks

Renew CA Certificate, Yes

Now we can renew the Web Server certificate, in MMC click Certificates (Local Computer)

Click Personal, Certificates

Find the certificate to be renewed, Right click, All Tasks, Advanced Operations, Renew this certificate with the same key…

Click Next , Enroll

Repeat this for all certificates that have expired

New set the date back to the current date

Repeat the step to renew the CA Certificate, Choose Certificate Authority, Right Click Server name, All Tasks

Renew CA Certificate, Yes

Now we can renew the Web Server certificate again, to add the exact years from current date and not expired date – This step can be skipped

Finally, we need to assigned the renewed certificate, open SBS Console

Click Networking, Connectivity, Certificate

Add a trusted certificate from right options, next

Select I want to use a certificate already installed on the server

Select the certificate, Click Next

Click Finish

Mail icon missing for Office in Control Panel

Step 1: Manually Opening the Mail application

Navigate to c:\Program Files (x86)\Microsoft Office\Office14> and double click on MLCFG32.CPL

Step 2: Permanently fix the Mail application

Open Regedit
Go to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\Cpls
Open value mlcfg32.cpl and make sure that it is set to C:\PROGRA~2\MICROS~1\Office14\MLCFG32.CPL
If it already is, add a .OLD to the end
Use task manager to end Explorer.exe
Use task manager to Start Explorer.exe
At this point, Mail will be missing in the Control Panel
Use Regedit to remove the .OLD that we added in the registry
Use task Manager to close and reopen Explorer.exe

Migrating Sticky Notes

1) Close Sticky Notes.

2) Go to PC Settings –> Apps & Features –> Sticky Notes –> Advanced Options then Reset.

3) Go to %LOCALAPPDATA%\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbw\LocalState

4) Create Folder within \LocalState called “Legacy”

5) Copy old Notes.snt to the Legacy folder and rename it “ThresholdNotes.snt”

Usually %OLD-LOCALAPPDATA%\AppData\Roaming\Microsoft\Sticky Notes\

Removing WSUS From 2008 and 2011

First Attempt to Uninstall WSUS 3.0 through Programs and Features

1.    Attempt to uninstall “Windows Server Update Service 3.0 Sp2” from Programs and Features in control panel.

If you don’t see WSUS sp1 or sp2 in Programs and Features run WSUSSetup.exe from the SBS 2008 Recovery CD #2

Cdrom<drive>: \CMPNENTS\WSUS\WSUSSetup.exe and select the three check boxes to remove WSUS.

2.    If you get errors look at the WSUSSetup.log file.

C:\User\Username\AppData\Local\Temp\WSUSSetup.log and  WSUSCa_100719_1452.log

3.    After removing the Wsus within Program and Features you may want to still verify that the below directories and registry keys are removed successfully.

If you’re unable to uninstall with the setup then manually remove  the installation with the following Steps:

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756  How to back up and restore the registry in Windows

Delete the following Directories and Registry keys:

4.    HKLM\Software\Microsoft\Microsoft SQL Server\WSUS

5.    HKLM\Software\Microsoft\UpdateServices 

6.    HKLM\software\Microsoft\windows\currentversion\installer\userdata\s-1-5-18\products

Look under Each GUID > InstallProperties 

On the right side look for a <DisplayName> with Microsoft Windows Server Update Services 3.0 SP<x>

Delete the GUID

7.    HKLM\Software\Classes\installer\Products\25B648799C414CF4EB36EF60FA054124

(Look through each GUID.  The default GUID for WSUS is 25B648799C414CF4EB36EF60FA054124)

 On the right side look for a <ProductName> with Microsoft Windows Server Update Services 3.0 SP<x>

8.    HKLM\System\CCS\Services\WSUS:  and others

9.    HKLM\System \CCS\Services\WSusCertServer

10.    HKLM\System \CCS\Services\WsusService

11.    HKCRoot\wsuscertserver.certmanager

12.    HKCRoot\wsuscertserver.certmanager.1

13.    HKCRoot\wsuscertserver.Utilites

14.    HKCRoot\wsuscertserver.Utilites.1

15.    HKCR\wsuscertserver.certmanager

Delete the following from IIS:

16.    WSUS Administration Virtual Directory

17.    Application Pool > WsusPool

18.    Reboot the server

Rename the following folders:

19.    Stop the “Update Services”  service

20.    C:\Program files\Update services

(Delete everything in the Update Services folder but leave the “Common” Folder)

21.    C:\WSUS  (Be sure to rename on all drives)

Reinstall WSUS from CD or Download WSUS 3.0 Sp2

22.    Option 1

Download of Windows Server Update Services 3.0 SP2 site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=a206ae20-2695-436c-9578-3403a7d46e40&displaylang=en

Option 2

Get the SBS2008 CD2 navigate and run Cdrom<drive>:\Cmpnents\Wsus\WSUSSetup.exe

23.    Select radio button for “Full Server Installation Including Administration Console”

24.    Choose the drive that you would like for the installation to be Installed.  <drive>:\WSUS

25.    Choose the drive for the Database option of <drive>:\WSUS

26.    Select Next until you get to the Database usage.  Choose the “Create new database”

27.    Select Next all the way to the End of the installation.

Custom Configuration Wizard

28.    Walk thru Windows Server Update Services Configuration Wizard

29.    On the Language Page leave the Default check for English.

30.    Select “All Products” check box.

31.    On the Classifications page select the following check boxes

•    Critical Updates

•    Definition Updates

•    Security Updates

•    Service Packs

•    Update Rollups

32.    Set the Synchronization to Automatic

33.    Uncheck the “Begin initial Synchronization” checkbox.

34.     Select Finish. 

Open WSUS Native Console

35.    Expand your Servername > Computers > All Computers

36.    Right click on “All Computers” and select “Add Computer Groups

Here you’ll create three groups with the following name:

•    Update Service Excluded Computers

•    Update Services Client Computers

•    Update Services Server Computers

Open SBS Console

•    Look at the Updates and you should have a green Check.

Additional information!

If you have SQL Server Management Studio installed on your server, you can open up SQL Server Management Studio using Run As Administrator, connect to the WID using the string below with Windows Authentication:

WID2008 = ‘np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query’

Then you can expand Databases, and see if any other databases are installed on the system besides the system databases (Master, model, msdb, and tempdb) and the WSUS Database (SUSDB). If there are, simply right click the SUSDB and choose properties and look for the location of the data files. Make a note where they are, and then cancel out of the properties and right click on the SUSDB and choose Detach Database. This will make the SUSDB database go away from within the SSMS console. Close of SSMS and browse to the location of where your SUSDB was located and delete the SUSDB.mdf and SUSDB.ldf.
====== SQL Server Management Studio (2008 R2)
Install SQL Server Management Studio – https://www.microsoft.com/en-ca/download/details.aspx?id=30438
You want to choose SQLManagementStudio_x64_ENU.exe