+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 39
Windows 7 Thread, GPO Permission Denied in Technical; Hi Guys and Gals, First post so I thought Id start with a really annoying problem. Recently got a suite ...
  1. #1

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10

    Unhappy GPO Permission Denied

    Hi Guys and Gals,

    First post so I thought Id start with a really annoying problem. Recently got a suite of 32 Windows 7 professional HP machines which I've installed software etc used sysprep then cloned with clonezilla now using the exact same method I also did 35 Toshiba laptops. Now after joining the domain and using gpupdate /force and gpresults / rsop.msc everything is fine on the laptops however on the PCs I receive "Group Policy Infrastructure failed due to the error listed below. Access is denied. "

    Searching the net found lots of ideas including check DNS, ensure I can resolve the domain name from the clients I can. Ping works fine etc.

    NIC - disabled IPv6, disabled power saving.

    Replication errors - Servers both replicating sysvol, 1 being 2003 other 2008. No error messages there.

    Only difference between the laptops and the workstations is the different organisational units within AD - have tried changing the workstations into other OU no effect.

    Any ideas would be appreciated so much!

  2. #2

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Can you post the event ID and of the error and let me know what Forest/Domain Level.

    Thanks
    Sukh

  3. #3

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    Hi, thanks for the reply,

    the forest domain level is 2003 - Am I right in thinking this is what you were asking for?

    As for the event id ill have to get that Monday but when I googled it nothing really came up. The event id from the event logs on the client yeh?

    Cheers

  4. #4

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Yes that's right. Just need to know more about the error. Event ID on the client and the server if it exisits.

    Thanks
    Sukh

  5. #5

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    I think the event is id:1030 with the description just saying basically group policy failed will try next refresh, however just before this event, 40961 occurs claiming "The security System could not establish a secured connection with the server ldap/servername.domain.net/domain.net@domain.net. No authentication protocol was available" also unsure what this means, looks like its related as its 1second before the 1030 error.

    Cheers!

  6. #6

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    OK - on further investigation (messing with a spare PC) turns out according to gpresult user configuration is applied fine but computer configuration fails because "access is denied" on the PC the event id is 1055 for grouppolicy with an error code of 5. "name resolution failure on the current domain controller" nslookup works fine, ping also, dns records are updated correctly. or " Active directory replication latency" the user account is old as in over a year and the computer account is over a month old and both are replicated fine on either server. Also I created a new user in active directory and logged straight into the PC with that account.

  7. #7

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Sorry for the delay, a few unexpected issues came up. Can you please enable GPO operational logging if not already enabled. See steps below.

    Enable Group Policy Operational Log on Windows 7 if disabled.



    a) Open registry editor, navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion

    b) Right click CurrentVersion->New->Key

    c) Rename the newly created key to Diagnostics

    d) Right click on Diagnostics->New->DWORD(32-bit)value, rename the new DWORD entry to GPSvcDebugLevel and set the value as 0x30002 (hexadecimal)

    e) After you modified the registry, please run the command gpupdate /force at command prompt to refresh the policy. Reboot the computer to reproduce the issue. The log file is written to the %SystemRoot%\Debug\UserMode folder.



    Reboot the workstation and reproduce the issue

    Please send the log to me (PM) or post online. Generally code 5 means access denied which we are seeing here.

    Thanks
    Sukh

  8. #8

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    Hi

    Many thanks - I did the registry change and noticed on RSOP.msc properties for Computer Configuration the reason for it not being applied had changed this time the message stated "logon failure: unknown user name or bad password" which is confusing as I can log in to both servers with my login and as far as I can tell replication is working fine. DCDIAG reports no errors and AD users are replicated almost instantly. In this log its first of all the problem with Logon failure followed by the usual Access Denied failure.

    - Couldn't find how to attach in PM so iv posted here. gpsvc.txt

  9. #9

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    How many DC have you got?
    How many of them are running DNS?
    On the client machine can you connect to \\yourdomain.com\sysvol\yourdomain.com?
    Can you run netdiag and check for errors?

    Thanks
    Sukh

  10. #10

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Can you also, remove one PC from the domain and delete the computer account associated with that from AD. Then rename the PC and join it to the domain with a new computer name and let me know the results.

    Thanks
    Sukh

  11. #11

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    Hi,

    Got 2 DCs one of them running windows server 2003 the other server 2008.

    Both are running DNS - is this incorrect?

    Client can connect to the sysvol folder - typing that command opens up the sysvol folder in windows explorer.

    Ran netdiag on the server running 2003 and all tests passed. Unsure of a 2008 alternate.

    Tried removing one PC from the domain deleted account from AD, added it, same problem. Did it again but this time didn't move it in AD left it in the computers OU. Same problem. Tried deleting profiles in registry as well as from Users folder on the client. same problem.

    Thanks

  12. #12

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    You can have DNS running on both servers that's fine.

    Can you run GPRESULT /H GPReport.html on the problem PC and send/post the result?

    Can you also send/post the Group Policy Operation Logs from Event Viewer.

    Thanks
    Sukh
    Last edited by sukh; 15th March 2011 at 11:18 AM. Reason: Can you also send/post the Group Policy Operation Logs from Event Viewer.

  13. #13

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    Hi

    I did gpresult on 1 of the machines that I've left completely alone to find that it has decided the error has now changed? Iv attached this as gpresult.
    On another machine from the suite I have re-imaged it and once it had rejoined the domain first GPO sync was error free however after running gpupdate /force I once again have the same error that the whole suite is having attached as gpresultfromnew. gpresults.zip

    Cheers

  14. #14

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    While I look at the logs, can you confirm when you removed the PC from the domain, did you delete the computer account, wait for replication so it doesn't exist. Then RENAME the computer to a different NAME completely and then join to domain?

    Thanks
    Sukh

  15. #15

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Can you also send me the GPO Operational logs from Event Viewer?

    Thanks
    Sukh

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. FileSystemObject Folder why permission denied
    By NetworkGeezer in forum Coding
    Replies: 16
    Last Post: 2nd September 2011, 05:10 PM
  2. Replies: 0
    Last Post: 6th July 2010, 08:45 PM
  3. Moodle Permission denied error
    By AhmetNuri in forum Virtual Learning Platforms
    Replies: 0
    Last Post: 21st February 2010, 03:14 PM
  4. New user denied access- permission prob?
    By dave.81 in forum Windows
    Replies: 5
    Last Post: 17th January 2008, 02:44 PM
  5. Permission set on redirected folder not applying (GPO issue)
    By projector1 in forum Wireless Networks
    Replies: 3
    Last Post: 14th February 2007, 12:46 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •