The MachineKeys directory is configured with non-default permissions

  • Article

The information in this article applies to:

  • Visual Studio Team Foundation Server 2010

  • Windows Server 2003 and Windows Server 2008 

  • SQL Server 2008

  • Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007

  • Servers that host the application tier and SharePoint Products

  • Team Foundation Server Complete Health Check

The Best Practices Analyzer tool for Team Foundation Server checks the security descriptor for the MachineKeys directory. An error appears if the MachineKeys directory is not set to use default permissions. The text of the error indicates the directory path where the non-default permissions are set.

If the service account for Team Foundation Server does not have full access to the MachineKeys directory, you might have problems accessing and using the Web services for Team Foundation Server. To resolve this issue, use Windows Explorer to change the permissions for the MachineKeys directory.

Required Permissions

To perform these procedures, you must be a member of the Administrators security group on the server to which the error message refers.

To change the permissions for the MachineKeys directory in Windows Server 2003

  1. Log on to the server to which the error message refers.

  2. Open Windows Explorer, and locate the directory path that is contained in the text of the error.

    By default, the path is Drive:\Documents and Settings\all users\Application Data\Microsoft\Crypto\RSA

  3. Right-click the MachineKeys directory, and click Properties.

    Note

    If the directory does not appear, click Folder Options. On the View tab, click Show hidden files and folders.

    The MachineKeys Properties dialog box opens.

  4. Click the Security tab.

  5. Verify that Administrators and Everyone are listed under Group or user names. If they are not listed, add them as follows:

    1. Click Add.

    2. In the Select Users, Computers, or Groups dialog box, for From this location, type the name of the local computer, or click Locations and click the name of the local computer. Click OK.

    3. In Enter the object names to select, type the name of the user group that is missing, and then click Check Names. Click the group account, and click OK twice.

  6. Set the permissions for Administrators and Everyone:

    1. Click the group name (for example, Administrators).

      Note

      If the Special Permissions check box is selected, do not clear it. This selection grants full access to all file and folder actions.

    2. Click Full Control. This following check boxes should now be selected:

      Full Control

      Modify

      Read & Execute

      List Folder Contents

      Read

      Write

    3. Repeat steps 6a and 6b for Everyone.

  7. Click Advanced.

  8. Select the Replace permission entries on all child objects with entries shown here that apply to child objects check box.

  9. Click OK to confirm the changes.

  10. Click OK to close the dialog box.

To change the permissions for the MachineKeys directory in Windows Server 2008

  1. Log on to the server to which the error message refers.

  2. Open Windows Explorer, and locate the directory path that is contained in the text of the error.

    The default path is Drive:\ProgramData\Microsoft\Crypto\RSA.

  3. Right-click the MachineKeys directory, and click Properties.

    Note

    If the directory does not appear, click Organize, and then click Folder Options. On the View tab, click Show hidden files and folders.

    The MachineKeys Properties dialog box opens.

  4. Click the Security tab.

  5. Verify that Administrators and Everyone are listed under Group or user names. If they are not listed, add them as follows:

    1. Click Edit, and then click Add.

    2. In the Select Users, Computers, or Groups dialog box, in From this location, type the name of the local computer, or click Locations and click the name of the local computer. Click OK.

    3. In Enter the object names to select, type the name of the user group that is missing, and then click Check Names. Click the group account, and click OK twice.

  6. Set the permissions for Administrators and Everyone:

    1. Click the group name (for example, Administrators).

      Note

      If the Special Permissions check box is selected, do not clear it. This selection grants full access to all file and folder actions.

    2. Click Full Control.

      The following check boxes are selected automatically:

      Full Control

      Modify

      Read & Execute

      List Folder Contents

      Read

      Write

    3. Repeat steps 6a and 6b for Everyone.

  7. Click Advanced.

  8. Select the Replace all existing permissions on all descendants with inheritable permissions from this object check box.

  9. Click OK to confirm the changes.

  10. Click OK to close the dialog box.

See Also

Tasks

The built-in Users group does not have the necessary permissions

Other Resources

Web Services Issues