To resolve this issue, you can either disable the policy setting (Method
A), or edit the permissions to provide the Licensing Service the
required permissions (Method B).
Method A: Disable the Plug and Play Policy
1. Determine the source of the policy. To do this, follow these steps:
a. On the client experiencing the Activation error, run the
Resultant Set of Policy wizard by clicking
Start, Run and entering
rsop.msc as the command.
b. Visit the following location:
Computer Configuration / Policies / Windows Settings /Security Settings / System Services /
If the Plug and Play service is configured through a Group Policy setting, you see it here with settings other than
Not Defined. Additionally, you can see which Group Policy is applying this setting.
2. Disable the Group Policy settings and force the Group Policy to be reapplied.
a. Edit the Group Policy that is identified in Step 1 and change the
setting to "Not Defined." Or, follow the section below to add the
required permissions for the Network Service account.
b. Force the Group Policy setting to reapply:
gpupdate /force (a restart of the client is sometimes required)
Method B: Edit the permissions of the Group Policy:
1. Open the Group Policy that is identified in Method A, Step 1 above, and open the corresponding Group Policy setting.
2. Click the
Edit Security button, and then click the
Advanced button.
3. In the
Advanced Security Settings for Plug and Play window click
Add and then add the SERVICE account. Then, click
OK4. Select the following permissions in the
Allow section and then click
OK:
Query template
Query status
Enumerate dependents
Interrogate
User-defined control
Read permissions
Note: The Previous rights are the minimum required permissions.
5. Run
gpupdate /force after you apply the previous permissions to the Group Policy setting.
6. Verify that the appropriate permissions are applied with the following command:
sc sdshow plugplay
The following are the rights applied to the Plug and Play service in SDDL:
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWLOCRRC;;;IU)
(A;;CCLCSWLOCRRC;;;SU)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
(A;;CC LC SW LO CR RC ;;;SU is an Access Control Entry (ACE) that allows the following rights to "SU" (SDDL_SERVICE - Service logon user)
A: Access Allowed
CC: Create Child
LC: List Children
SW: Self Write
LO: List Object
CR: Control Access
RC: Read Control
SU: Service Logon User
Note: If there are no GPO's in place, then another
activity may have changed the default registry permissions. To work
around this issue, perform the following steps:
- On the computer that is out of tolerance, start Registry Editor.
- Right-click the registry key HKEY_USERS\S-1-5-20, and select Permissions...
- If the NETWORK SERVICE is not present, click Add...
- In Enter the object names to select type Network Service and then click Check Names and OK.
- Select the NETWORK SERVICE and Grant Full Control and Read permissions.
- Restart the computer.
- After the restart, the system may require activation. Complete the activation.
If you think this solution helps you then your token of appreciation in the form of Rating and a testimonial will be esteemed.
Thank you and Keep Visiting FixYa!
×