(I am putting this on the forum since Google searches these forums. Maybe I'll be able to help someone else, or someone can help me refine this.)

The TID 3057160 "Dangers of using SYSPREP after NICI has been installed" is generally useless since it claims the Novell client (and NICI) should not be installed before a machine is Sysprepped.

Oh, and how am I supposed to build workstation images if I don't install NICI before I sysprep a machine? Does Novell honestly expect me to install 500 workstation images by loading the sysprepped image onto the target workstation and THEN going back and installing the Novell client? Are you nuts?! I don't have time for that. Isn't this why I'm using Sysprep in the first place?

Why was I able to install NICI before sysprepping with prior versions of the Netware client for the past six years, but suddenly this issue has appeared in recent client releases?

It appears the real problem here is that someone at Novell screwed up the installation security for NICI and made it so that local Windows Administrators cannot access other NICI security data on the system. NICI security data is only accessible by one login at a time and relogging while already logged in triggers access denied and error 0xFFFFFA27 on the other NICI objects.

The partial solution is for me to hack the the NICI security objects so that the local Windows Administrators have rights to access all NICI security objects regardless of who specifically owns them.

1. Novell Client 4.91 SP4 / Windows XP SP3
2. Login as Windows Administrator user, but limited Novell account.
3. Without logging off, try to login again as novell "admin"..... get error 0xFFFFFA27

4. Browse to "C:\WINDOWS\system32\novell\nici"
4b. Properties on folder "nici" -> Security
4c. Windows error: "The permissions on nici are incorrectly ordered, which may cause some entries to be ineffective. Press OK to continue and sort the permissions correctly, or Cancel to reset the permissions."
4d. After clicking "OK" it shows only "Administrators" as having full control.
4e. Give "SYSTEM" group full control too.

5. Select nici folder belonging to the currently-logged-in account
5b. Properties -> Security
5c. Windows error: "You don't have permission to access, blah blah"
5d. Advanced -> Take Ownership -> Assign owner to "Administrators"
5e. Click OK, reopen and verify Administrators has "Full Control"
5f. In security list, add the username for the named local account
5g. Assign "Full Control"
5h. In security list, add group "SYSTEM"
5i. Assign "Full Control"

6. Select nici folder for "SYSTEM"
6b. Properties -> Security
6c. Windows error: "You don't have permission to access, blah blah"
6d. Advanced -> Take Ownership -> Assign owner to "Administrators"
6e. Click OK, reopen and verify Administrators has "Full Control"
6f. In security list, add group "SYSTEM"
6g. Assign "Full Control"

7. No reboot necessary, and try to login again. It works now, no error 0xFFFFFA27.

Now the local Windows Administrator can login back and forth between novell accounts without the error 0xFFFFFA27 appearing because the local Administrator has proper access to all NICI security objects.

It seems stupid for Novell to be installing NICI so as to be denying the local Administrators and SYSTEM access to these NICI objects, since the local Administrator can just take control of them, as shown here.

These permissions I am assigning may be overly permissive for what is required for this NICI error to go away, but since I don't know the specifics of how NICI works I cannot narrow down the permissions to the minimum needed to fix 0xFFFFFA27 without giving the local Administrators and SYSTEM full control.

Dale Mahalko
Email: dmahalko@gmail.com