SharePoint Administrators lost the ability to browse successfully to Central Admin on a SharePoint 2010 server
1) In the browser: An Unexpected Error Occurred
2) In the ULS Log: w3wp.exe 0x15EC SharePoint Foundation Runtime Unexpected System.Runtime.InteropServices.COMException: The handle is invalid. (Exception from HRESULT: 0x80070006 (E_HANDLE)) 2fce79ff-3aed-440c-b4f7-78fa5d7a10d5
3) Process Monitor: “BAD IMPERSONATION”
Application of a Group Policy to the OU that includes the WFE removed the IIS_IUSRS group from the local security policy on the server for the user right assignment of “Impersonate a client After Authentication.” The IIS_IUSRS group needs the ability to impersonate clients after authentication because this is how the SharePoint/IIS Application Pool impersonates the SharePoint Administrator who is trying to reach Central Admin.
The local group IIS_IUSRS needs to be allowed to be listed in the Impersonate a Client After Authentication right. Please work with your Active Directory Administrator and/or Security teams to determine what needs to happen in Group Policy to make sure the Central Admin servers (or even all WFEs) have this.
SharePoint 2010 and IIS 7.0
KB 981949 shows that the IIS_IUSRS group is supposed to (by default) have the Impersonate right.
http://support.microsoft.com/kb/981949 - Description of default permissions and user rights for IIS 7.0 in Windows Server 2008
http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/ - Understanding Built-In User and Group Accounts in IIS 7
Understanding the New IIS_IUSRS Group