Applies ToForefront Threat Management Gateway 2010 Enterprise

Symptoms

When you try to join a Microsoft Forefront Threat Management Gateway (TMG) 2010 server to an array, the array join operation fails. Additionally, you receive the following error message:

The Operation Failed. Error code - 0x80070002 - the system cannot find the file specified.

Cause

This problem occurs because the BUILTIN\Administrators group was removed from the Enterprise Administrators role, and this removal is not supported. Additionally, a fix was released for Threat Management Gateway Service Pack 2 (SP2) to block the removal of the BUILTIN\Administrators group from the Enterprise Administrators role.For more information, click the following article number to view the article in the Microsoft Knowledge Base:

2595999 FIX: "0x80070002" error in Forefront Threat Management Gateway 2010 when an array join operation fails because the BUILTIN\Administrators group is removed from TMG Enterprise Administrators role

Resolution

The removal of the BUILTIN\Administrators group from the Enterprise Administrators role is now supported in a domain environment. Such environments include servers that meet the following requirements:

  • The servers are running Threat Management Gateway and Enterprise Management Server.

  • The servers are joined to the domain.

To add this support, install the hotfix package that is described in the following Microsoft Knowledge Base article:

2689195 Rollup 2 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2Important The removal of the BUILTIN\Administrators group is not supported in a workgroup scenario.To remove the BUILTIN\Administrators group from the Enterprise Administrators role, follow these steps:

  1. After you apply this hotfix package, copy the following script to a new text editor file such as Notepad.exe, and then save the file as SetBuiltInAdminsRemoval.vbs:

    '------------------------------------------------------------------------------' Copyright (c) 2012 Microsoft Corporation. All rights reserved.'' Filename: SetBuiltInAdminsRemoval.vbs'' Description: Set the flag that allows removing the BUILTIN\Administrators group' from the TMG Enterprise/Array Administrators list'------------------------------------------------------------------------------const DELEGATED_ADMIN_VPS_GUID = "{65d64720-510e-4fce-8625-4050dcae45dd}"const ALLOW_BUILT_IN_ADMINS_REMOVAL_VP_NAME = "AllowBuiltIntAdminsRemoval"const fpcConfigurationStandalone = 0const fpcConfigurationEnterprise = 1Set objArgs = wscript.Argumentsif objArgs.Count <> 1 thenwscript.echo "Usage: SetBuiltInAdminsRemoval.vbs <0|1>"wscript.echowscript.echo " 0 - Do not allow removal of the BUILTIN\Administrators group from TMG Admins list."wscript.echo " 1 - Allow the removal of the BUILTIN\Administrators group from TMG Admins list."wscript.Quit 2end ifif objArgs(0) = 0 thenfAllowBuiltInAdminsRemoval = 0elsefAllowBuiltInAdminsRemoval = 1end ifSet root = CreateObject("FPC.Root")if root.ConfigurationMode = fpcConfigurationStandalone thenstrScope = "Array"Set objDelegatedAdmins = root.GetContainingArray.AdminSecurity.DelegatedAdminselseif root.ConfigurationMode = fpcConfigurationEnterprise thenstrScope = "Enterprise"Set objDelegatedAdmins = root.Enterprise.AdminSecurity.DelegatedAdminselsewscript.echo "Error: Could not determine whether the local TMG host belongs to an enterprise or it is a standalone server/array."wscript.Quit 1end if' It is assumed here that if the BUILTIN\Administrators group is assigned to a role, it is' necessarily a TMG Administrator roleif fAllowBuiltInAdminsRemoval = 0 AND not IsBuiltInAdminsAssignedRole(objDelegatedAdmins) thenwscript.echo "the BUILTIN\Administrators group must be assigned to " & strScope & " Admin role"wscript.echo "before the default setting that blocks its removal can be restored."wscript.Quit 1end ifGetVPSet(objDelegatedAdmins, DELEGATED_ADMIN_VPS_GUID).Value(ALLOW_BUILT_IN_ADMINS_REMOVAL_VP_NAME) = fAllowBuiltInAdminsRemovalobjDelegatedAdmins.Saveif fAllowBuiltInAdminsRemoval = 0 thenwscript.echo "Done. Removal of the BUILTIN\Administrators group from admin list is now not allowed."elsewscript.echo "Done. Removal of the BUILTIN\Administrators group from admin list is now allowed."end iffunction GetVPSet(obj, strVPSetGUID)On Error resume nextSet GetVPSet = obj.VendorParametersSets(strVPSetGUID)On Error GoTo 0if IsEmpty(GetVPSet) ThenSet GetVPSet = obj.VendorParametersSets.Add(strVPSetGUID)End ifend functionfunction IsBuiltInAdminsAssignedRole(objDelegatedAdmins)IsBuiltInAdminsAssignedRole = Falsefor each objAdmin in objDelegatedAdminsif objAdmin.Account = "S-1-5-32-544" thenIsBuiltInAdminsAssignedRole = Trueend ifNextend function
  2. Type the following command at an elevated command prompt, and then press Enter:

    cscript SetBuiltInAdminsRemoval.vbs 1

  3. In Microsoft Management Console (MMC), remove the BUILTIN\Administrators group. To do this, click the Roles tab of the array property or of the Enterprise property.

Notes

  • For information about how to use the script, run the script without using parameters.

  • If you restore the default settings so that the removal of the BUILTIN\Administrators group is not allowed, the BUILTIN\Administrators group must be assigned to the TMG Administrator role. Otherwise, the script will fail and will generate the following error message. (This is the same error message that is generated when you try to remove the BUILTIN\Administrators group without enabling the group's removal by using the script that is mentioned in this section.)

    A Forefront TMG configuration must include the built-in Administrators group that is delegated the role of Forefront TMG Full Administrator.

  • In a stand-alone configuration of either a stand-alone Threat Management Gateway server or a stand-alone Threat Management Gateway array, the default BUILTIN\Administrators group assignment is at the array level. In an Enterprise configuration, the default BUILTIN\Administrators group assignment is at the Enterprise level. This script automatically detects the configuration and makes the group assignment setting accordingly. If the configuration changes, the script must be run again. For example, if a server is disconnected from the Enterprise and becomes a stand-alone server, the script must be run again.

Status

Microsoft has confirmed that this is a limitation in the Microsoft products that are listed in the "Applies to" section.

More Information

A user who is designated as an administrator is implicitly made very powerful on the Threat Management Gateway server (see note 1). By using the Firewall Policy, the user controls not only what network traffic can flow to or from the Threat Management Gateway server, but also to and from the networks it protects. The user can make configuration changes that regular users cannot make such as configuring VPN and NLB. The user can even configure TMG Alert actions that execute arbitrary programs in the context of “LOCAL SYSTEM”. Therefore, the Threat Management Gateway Administrator is effectively a server administrator even if the user is not a member of the BUILTIN\Administrators group. To reflect that, it is required for all Threat Management Gateway Administrators to be members of the BUILTIN\Administrators group.Members of the BUILTIN\Administrators group can do anything on the Threat Management Gateway server. This includes changing the effective Threat Management Gateway Firewall policy when they are not designated as Threat Management Gateway Administrators. To reflect this and to prevent misconceptions about Threat Management Gateway roles assignment security boundaries, the BUILTIN\Administrators principal is assigned to the Threat Management Gateway Administrator role and cannot be removed by default (see note 2).However, some organizations use a per-application administration separation model, by assigning different members of BUILTIN\Administrators as administrators of different applications. For example assign one administrator as a Microsoft SQL Server administrator and another one as a SharePoint administrator. You should be aware that such a configuration does not create a security boundary between any member of BUILTIN\Administrators and any application administration. A member of BUILTIN\Administrators can deliberately take ownership on any application on the server. Therefore,, such a configuration is useful only for preventing accidental configuration mistakes on applications on which the user is not assigned as an administrator. Threat Management Gateway now supports this administration separation mode by enabling the BUILTIN\Administrators group to be removed from the Threat Management Gateway Administrator role assignment. However, to prevent confusion and misconception about the Threat Management Gateway administrations security boundary, this is not enabled by default. Use the script to enable or to disable the BUILTIN\Administrators group removal from the Threat Management Gateway Administrator role assignment.Note 1 For example, a user who is assigned the "Forefront TMG Array Administrator" role or, for an Enterprise deployment, a user who is assigned the "Forefront TMG Enterprise Administrator" role.Note 2 "What's a security boundary? It's a wall through which code and data can't pass without the authorization of a security policy" (PsExec, User Account Control and Security Boundaries).

References

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.