Problem 1: I set the Office SharePoint Server Search Service to use a dedicated web front end computer for crawling. After doing this, the server I set to be dedicated for search crawling (indexing) started throwing this error:

Event ID: 6482

Source: Office SharePoint Server

Details: Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchServiceInstance (3b4a9151-23b7-4c2f-ad89-b317610aae69). Reason: Access to the path 'C:\Windows\system32\drivers\etc\HOSTS' is denied.

Why in the world would SharePoint need access to the HOSTS file? Well, it turns out that SharePoint replaces the HOSTS file with a new one containing the IP addresses and hostnames for all web apps in SharePoint. The problem here is that the identity of the process running the SharePoint Timer Service doesn’t have access to the HOSTS file. Easy fix, right? Well, yes when SharePoint is running on Windows Server 2003. All one must do is grant Modify permissions to the WSS_ADMIN_WPG group on the ETC directory (on the directory because the Timer Job deletes the HOSTS file and then writes a new one).

Problem 2: If SharePoint is running on Windows Server 2008, an administrator can’t change the permissions on the ETC directory, even as an Elevated Administrator. I tried the following to change the permissions:

1. 1st Attempt
   1. Browse to c:\windows\system32\drivers
   2. Right-click on the ETC directory, select Properties, click the Security tab and then click the Edit button.
   3. Click Continue on the UAC prompt.
   4. PROBLEM: The Add button is grayed out. An Administrator can’t change the permissions.
      
2. 2nd Attempt
   1. Click Start, All Programs, Accessories.
   2. Right-click on Windows Explorer and select Run As Administrator.
   3. Click Continue on the UAC prompt.
   4. Followed steps 1 – 3 from the 1st Attempt.
   5. PROBLEM: The Add button is still grayed out. An Administrator can’t change the permissions even with an Elevated Windows Explorer (probably because Windows Explorer is never really elevated unless UAC is turned off).
3. 3rd Attempt
   1. Click Start, right-click on Command Prompt and select Run as Administrator.
   2. Click Continue on the UAC prompt.
   3. Run icacls c:\windows\system32\drivers\etc /grant WSS_ADMIN_WPG:f
   4. PROBLEM: Access is denied error returned from icacls. One can’t change the permissions using icacls in an Elevated Command Prompt.
      
4. 4th Attempt (Workable Solution)
   1. Browse to c:\windows\system32\drivers.
   2. Right-click on the ETC directory, select Properties, click the Security tab, and then click the Advanced button.
   3. Select the Owner tab. Wait, what’s that? TrustedInstaller is the Current Owner?
   4. Click the Edit button.
   5. Click Continue on the UAC prompt.
   6. Change the Owner to the Administrators group, select the “Replace owner on subcontainers and objects” option and click OK.
   7. Click OK on the prompt telling you to close the properties window and re-open it.
   8. Click OK on the “Advanced Security Settings for etc” window.
   9. Click OK on the “etc Properties” window.
   10. Right-click on the ETC directory, select Properties, click the Security tab, and then click the Edit button.
   11. Click Continue on the UAC prompt (you probably will not get this prompt unless you have rebooted since granting yourself ownership of the directory).
   12. Click Add and enter \WSS_ADMIN_WPG and click OK (replace with the local server name, this is done because the machine will try to use a domain group/user here).
   13. Grant the group Modify rights and click OK.
   14. Click Yes on the Security Warning.
   15. Click OK on the “etc Properties” window.
   16. SOLVED.

Another Solution

1. Click Start, right-click on Command Prompt and select Run as Administrator.
2. Click Continue on the UAC prompt.
3. Run takeown /f c:\windows\system32\drivers\etc /a
4. Run icacls c:\windows\system32\drivers\etc /grant WSS_ADMIN_WPG:m
   
   You have got to love the command line, we just took a 15 step process and turned it into 4 steps!!!

Yes, yet another “fix” would be to disable UAC, make the necessary changes and then re-enable UAC. The problem with this is that the administrator must reboot after each change to the UAC state. Not really a viable solution if the farm is live, is it?

Happy SharePointing!!!!!