Debug programs right needed to uninstall ConfigMgr Console

I recently discovered an interesting issue when trying to uninstall the ConfigMgr Console from a Windows Server 2003 system to which the SSLF member server baseline policy is applied.  When running through setup to uninstall the console, all of the components all show the status "Not Started" and the wizard lets you click Next, i.e., nothing happens.  C:\ConfigMgrSetup.log contains the following:

<04-10-2009 19:09:01> Verifying SMS Active Directory Schema Extensions.
<04-10-2009 19:09:01> DS Root:CN=Schema,CN=Configuration,DC=contoso,DC=local
<04-10-2009 19:09:01> Entry: KillUserApps()
<04-10-2009 19:09:01> AdjustTokenPrivileges failed with 1300
<04-10-2009 19:09:01> Could not verify an open MMC instance due to the error.
<04-10-2009 19:09:01> Exiting THREAD_DeinstallUI.
<04-10-2009 19:09:03> Dumping data to C:\ComponentSetup.log.
<04-10-2009 19:09:03> Moving to Finish page. Installation and Configruation processes are done.

Error code 1300 translates to "Not all privileges referenced are assigned to the caller."

In comparing the default Server 2003 user rights assignments to those under the SSLF member server baseline, I found that restoring the Debug programs right to the local Administrators gorup (and then restarting the server) allowed the console to be uninstalled.

Update (12 November 2009) : I just heard of an instance where this same policy caused the exact same issue when performing an upgrade to ConfigMgr 2007 Service Pack 2 (SP2).  As far as I know, this policy does not need to be altered during initial product installation.  Thanks to Michael Alatalo for the head's up.

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .