Select the product you need help with

FIX: Error message when you try to join a Forefront Threat Management Gateway 2010 server to an array: "The Operation Failed. Error code - 0x80070002 - the system cannot find the file specified"

Article ID: 2701943 - View products that this article applies to.

Symptoms

When you try to join a Microsoft Forefront Threat Management Gateway (TMG) 2010 server to an array, the array join operation fails. Additionally, you receive the following error message:

The Operation Failed. Error code - 0x80070002 - the system cannot find the file specified.

Back to the top | Give Feedback

This problem occurs because the BUILTIN\Administrators group was removed from the Enterprise Administrators role, and this removal is not supported. Additionally, a fix was released for Threat Management Gateway Service Pack 2 (SP2) to block the removal of the BUILTIN\Administrators group from the Enterprise Administrators role.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

2595999

(http://support.microsoft.com/kb/2595999/ )

FIX: "0x80070002" error in Forefront Threat Management Gateway 2010 when an array join operation fails because the BUILTIN\Administrators group is removed from TMG Enterprise Administrators role

Back to the top | Give Feedback

Resolution

The removal of the BUILTIN\Administrators group from the Enterprise Administrators role is now supported in a domain environment. Such environments include servers that meet the following requirements:

The servers are running Threat Management Gateway and Enterprise Management Server.
The servers are joined to the domain.

To add this support, install the hotfix package that is described in the following Microsoft Knowledge Base article:

2689195

(http://support.microsoft.com/kb/2689195/ )

Rollup 2 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2

Important The removal of the BUILTIN\Administrators group is not supported in a workgroup scenario.

To remove the BUILTIN\Administrators group from the Enterprise Administrators role, follow these steps:

After you apply this hotfix package, copy the following script to a new text editor file such as Notepad.exe, and then save the file as SetBuiltInAdminsRemoval.vbs:

'------------------------------------------------------------------------------
' Copyright (c) 2012 Microsoft Corporation. All rights reserved.
'
' Filename: SetBuiltInAdminsRemoval.vbs
'
' Description: Set the flag that allows removing the BUILTIN\Administrators group
' from the TMG Enterprise/Array Administrators list
'------------------------------------------------------------------------------

const DELEGATED_ADMIN_VPS_GUID = "{65d64720-510e-4fce-8625-4050dcae45dd}"
const ALLOW_BUILT_IN_ADMINS_REMOVAL_VP_NAME = "AllowBuiltIntAdminsRemoval"
const fpcConfigurationStandalone = 0
const fpcConfigurationEnterprise = 1

Set objArgs = wscript.Arguments

if objArgs.Count <> 1 then
wscript.echo "Usage: SetBuiltInAdminsRemoval.vbs <0|1>"
wscript.echo
wscript.echo " 0 - Do not allow removal of the BUILTIN\Administrators group from TMG Admins list."
wscript.echo " 1 - Allow the removal of the BUILTIN\Administrators group from TMG Admins list."
wscript.Quit 2
end if

if objArgs(0) = 0 then
fAllowBuiltInAdminsRemoval = 0
else
fAllowBuiltInAdminsRemoval = 1
end if

Set root = CreateObject("FPC.Root")

if root.ConfigurationMode = fpcConfigurationStandalone then
strScope = "Array"
Set objDelegatedAdmins = root.GetContainingArray.AdminSecurity.DelegatedAdmins
elseif root.ConfigurationMode = fpcConfigurationEnterprise then
strScope = "Enterprise"
Set objDelegatedAdmins = root.Enterprise.AdminSecurity.DelegatedAdmins
else
wscript.echo "Error: Could not determine whether the local TMG host belongs to an enterprise or it is a standalone server/array."
wscript.Quit 1
end if

' It is assumed here that if the BUILTIN\Administrators group is assigned to a role, it is
' necessarily a TMG Administrator role

if fAllowBuiltInAdminsRemoval = 0 AND not IsBuiltInAdminsAssignedRole(objDelegatedAdmins) then
wscript.echo "the BUILTIN\Administrators group must be assigned to " & strScope & " Admin role"
wscript.echo "before the default setting that blocks its removal can be restored."
wscript.Quit 1
end if

GetVPSet(objDelegatedAdmins, DELEGATED_ADMIN_VPS_GUID).Value(ALLOW_BUILT_IN_ADMINS_REMOVAL_VP_NAME) = fAllowBuiltInAdminsRemoval

objDelegatedAdmins.Save

if fAllowBuiltInAdminsRemoval = 0 then
wscript.echo "Done. Removal of the BUILTIN\Administrators group from admin list is now not allowed."
else
wscript.echo "Done. Removal of the BUILTIN\Administrators group from admin list is now allowed."
end if

function GetVPSet(obj, strVPSetGUID)
On Error resume next

Set GetVPSet = obj.VendorParametersSets(strVPSetGUID)

On Error GoTo 0
if IsEmpty(GetVPSet) Then
Set GetVPSet = obj.VendorParametersSets.Add(strVPSetGUID)
End if
end function

function IsBuiltInAdminsAssignedRole(objDelegatedAdmins)
IsBuiltInAdminsAssignedRole = False
for each objAdmin in objDelegatedAdmins
if objAdmin.Account = "S-1-5-32-544" then
IsBuiltInAdminsAssignedRole = True
end if
Next
end function

Type the following command at an elevated command prompt, and then press Enter:
cscript SetBuiltInAdminsRemoval.vbs 1
In Microsoft Management Console (MMC), remove the BUILTIN\Administrators group. To do this, click the Roles tab of the array property or of the Enterprise property.

Notes

For information about how to use the script, run the script without using parameters.
If you restore the default settings so that the removal of the BUILTIN\Administrators group is not allowed, the BUILTIN\Administrators group must be assigned to the TMG Administrator role. Otherwise, the script will fail and will generate the following error message. (This is the same error message that is generated when you try to remove the BUILTIN\Administrators group without enabling the group's removal by using the script that is mentioned in this section.)
A Forefront TMG configuration must include the built-in Administrators group that is delegated the role of Forefront TMG Full Administrator.
In a stand-alone configuration of either a stand-alone Threat Management Gateway server or a stand-alone Threat Management Gateway array, the default BUILTIN\Administrators group assignment is at the array level. In an Enterprise configuration, the default BUILTIN\Administrators group assignment is at the Enterprise level. This script automatically detects the configuration and makes the group assignment setting accordingly. If the configuration changes, the script must be run again. For example, if a server is disconnected from the Enterprise and becomes a stand-alone server, the script must be run again.

Back to the top | Give Feedback

Status

Microsoft has confirmed that this is a limitation in the Microsoft products that are listed in the "Applies to" section.

Back to the top | Give Feedback

More information

A user who is designated as an administrator is implicitly made very powerful on the Threat Management Gateway server (see note 1). By using the Firewall Policy, the user controls not only what network traffic can flow to or from the Threat Management Gateway server, but also to and from the networks it protects. The user can make configuration changes that regular users cannot make such as configuring VPN and NLB. The user can even configure TMG Alert actions that execute arbitrary programs in the context of “LOCAL SYSTEM”. Therefore, the Threat Management Gateway Administrator is effectively a server administrator even if the user is not a member of the BUILTIN\Administrators group. To reflect that, it is required for all Threat Management Gateway Administrators to be members of the BUILTIN\Administrators group.

Members of the BUILTIN\Administrators group can do anything on the Threat Management Gateway server. This includes changing the effective Threat Management Gateway Firewall policy when they are not designated as Threat Management Gateway Administrators. To reflect this and to prevent misconceptions about Threat Management Gateway roles assignment security boundaries, the BUILTIN\Administrators principal is assigned to the Threat Management Gateway Administrator role and cannot be removed by default (see note 2).

However, some organizations use a per-application administration separation model, by assigning different members of BUILTIN\Administrators as administrators of different applications. For example assign one administrator as a Microsoft SQL Server administrator and another one as a SharePoint administrator. You should be aware that such a configuration does not create a security boundary between any member of BUILTIN\Administrators and any application administration. A member of BUILTIN\Administrators can deliberately take ownership on any application on the server. Therefore,, such a configuration is useful only for preventing accidental configuration mistakes on applications on which the user is not assigned as an administrator. Threat Management Gateway now supports this administration separation mode by enabling the BUILTIN\Administrators group to be removed from the Threat Management Gateway Administrator role assignment. However, to prevent confusion and misconception about the Threat Management Gateway administrations security boundary, this is not enabled by default. Use the script to enable or to disable the BUILTIN\Administrators group removal from the Threat Management Gateway Administrator role assignment.

Note 1 For example, a user who is assigned the "Forefront TMG Array Administrator" role or, for an Enterprise deployment, a user who is assigned the "Forefront TMG Enterprise Administrator" role.

Note 2 "What's a security boundary? It's a wall through which code and data can't pass without the authorization of a security policy" (PsExec, User Account Control and Security Boundaries

(http://blogs.technet.com/b/markrussinovich/archive/2007/02/12/638372.aspx)

Back to the top | Give Feedback