Knowledge Base for Windows

Description/Problem:
Some weeks ago I had an issue related to non-administrator users which were not able to logon over graphical user interface into the Windows Server 2003. This server was operated as domain controller with basic security settings.

Solution:

• Set correct files system permissions to folder “%systemroot%\WinSxS” and all sub-folders
  BUILTIN\Administrators:(OI)(CI)F
  NT AUTHORITY\Authenticated Users:(OI)(CI)R
  CREATOR OWNER:(OI)(CI)(IO)F
  BUILTIN\Server Operators:(OI)(CI)R
  NT AUTHORITY\SYSTEM:(OI)(CI)F
• Set correct files system permissions to folder “%systemroot%\AppPatch” and all sub-folders
  BUILTIN\Administrators:(OI)(CI)F
  NT AUTHORITY\Authenticated Users:(OI)(CI)R
  CREATOR OWNER:(OI)(CI)(IO)F
  BUILTIN\Server Operators:(OI)(CI)R
  NT AUTHORITY\SYSTEM:(OI)(CI)F

You can use tool called Extended Change Access Control List (Xcacls) to easy setup of specific file system permissions for files or folders.