Article ID: 2701943 - View products that this article applies to.
When you try to join a Microsoft Forefront Threat Management Gateway (TMG) 2010 server to an array, the array join operation fails. Additionally, you receive the following error message:
The Operation Failed. Error code - 0x80070002 - the system cannot find the file specified.
This problem occurs because the BUILTIN\Administrators group was removed from the Enterprise Administrators role, and this removal is not supported. Additionally, a fix was released for Threat Management Gateway Service Pack 2 (SP2) to block the removal of the BUILTIN\Administrators group from the Enterprise Administrators role.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/2595999/ )FIX: "0x80070002" error in Forefront Threat Management Gateway 2010 when an array join operation fails because the BUILTIN\Administrators group is removed from TMG Enterprise Administrators role
The removal of the BUILTIN\Administrators group from the Enterprise Administrators role is now supported in a domain environment. Such environments include servers that meet the following requirements:
2689195Important The removal of the BUILTIN\Administrators group is not supported in a workgroup scenario.
(http://support.microsoft.com/kb/2689195/ )Rollup 2 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
To remove the BUILTIN\Administrators group from the Enterprise Administrators role, follow these steps:
Microsoft has confirmed that this is a limitation in the Microsoft products that are listed in the "Applies to" section.
A user who is designated as an administrator is implicitly made very powerful on the Threat Management Gateway server (see note 1). By using the Firewall Policy, the user controls not only what network traffic can flow to or from the Threat Management Gateway server, but also to and from the networks it protects. The user can make configuration changes that regular users cannot make such as configuring VPN and NLB. The user can even configure TMG Alert actions that execute arbitrary programs in the context of “LOCAL SYSTEM”. Therefore, the Threat Management Gateway Administrator is effectively a server administrator even if the user is not a member of the BUILTIN\Administrators group. To reflect that, it is required for all Threat Management Gateway Administrators to be members of the BUILTIN\Administrators group.
Members of the BUILTIN\Administrators group can do anything on the Threat Management Gateway server. This includes changing the effective Threat Management Gateway Firewall policy when they are not designated as Threat Management Gateway Administrators. To reflect this and to prevent misconceptions about Threat Management Gateway roles assignment security boundaries, the BUILTIN\Administrators principal is assigned to the Threat Management Gateway Administrator role and cannot be removed by default (see note 2).
However, some organizations use a per-application administration separation model, by assigning different members of BUILTIN\Administrators as administrators of different applications. For example assign one administrator as a Microsoft SQL Server administrator and another one as a SharePoint administrator. You should be aware that such a configuration does not create a security boundary between any member of BUILTIN\Administrators and any application administration. A member of BUILTIN\Administrators can deliberately take ownership on any application on the server. Therefore,, such a configuration is useful only for preventing accidental configuration mistakes on applications on which the user is not assigned as an administrator. Threat Management Gateway now supports this administration separation mode by enabling the BUILTIN\Administrators group to be removed from the Threat Management Gateway Administrator role assignment. However, to prevent confusion and misconception about the Threat Management Gateway administrations security boundary, this is not enabled by default. Use the script to enable or to disable the BUILTIN\Administrators group removal from the Threat Management Gateway Administrator role assignment.
Note 1 For example, a user who is assigned the "Forefront TMG Array Administrator" role or, for an Enterprise deployment, a user who is assigned the "Forefront TMG Enterprise Administrator" role.
Note 2 "What's a security boundary? It's a wall through which code and data can't pass without the authorization of a security policy" (PsExec, User Account Control and Security Boundaries
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates