GPO Permission Denied

[beany1]

Hi Guys and Gals,

First post so I thought Id start with a really annoying problem. Recently got a suite of 32 Windows 7 professional HP machines which I've installed software etc used sysprep then cloned with clonezilla now using the exact same method I also did 35 Toshiba laptops. Now after joining the domain and using gpupdate /force and gpresults / rsop.msc everything is fine on the laptops however on the PCs I receive "Group Policy Infrastructure failed due to the error listed below. Access is denied. "

Searching the net found lots of ideas including check DNS, ensure I can resolve the domain name from the clients I can. Ping works fine etc.

NIC - disabled IPv6, disabled power saving.

Replication errors - Servers both replicating sysvol, 1 being 2003 other 2008. No error messages there.

Only difference between the laptops and the workstations is the different organisational units within AD - have tried changing the workstations into other OU no effect.

Any ideas would be appreciated so much!

[sukh]

Hi

Can you post the event ID and of the error and let me know what Forest/Domain Level.

Thanks
Sukh

[beany1]

Hi, thanks for the reply,

the forest domain level is 2003 - Am I right in thinking this is what you were asking for?

As for the event id ill have to get that Monday but when I googled it nothing really came up. The event id from the event logs on the client yeh?

Cheers

[sukh]

Hi

Yes that's right. Just need to know more about the error. Event ID on the client and the server if it exisits.

Thanks
Sukh

[beany1]

I think the event is id:1030 with the description just saying basically group policy failed will try next refresh, however just before this event, 40961 occurs claiming "The security System could not establish a secured connection with the server ldap/servername.domain.net/domain.net@domain.net. No authentication protocol was available" also unsure what this means, looks like its related as its 1second before the 1030 error.

Cheers!

[beany1]

OK - on further investigation (messing with a spare PC) turns out according to gpresult user configuration is applied fine but computer configuration fails because "access is denied" on the PC the event id is 1055 for grouppolicy with an error code of 5. "name resolution failure on the current domain controller" nslookup works fine, ping also, dns records are updated correctly. or " Active directory replication latency" the user account is old as in over a year and the computer account is over a month old and both are replicated fine on either server. Also I created a new user in active directory and logged straight into the PC with that account.

[sukh]

Hi

Sorry for the delay, a few unexpected issues came up. Can you please enable GPO operational logging if not already enabled. See steps below.

Enable Group Policy Operational Log on Windows 7 if disabled.



a) Open registry editor, navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion

b) Right click CurrentVersion->New->Key

c) Rename the newly created key to Diagnostics

d) Right click on Diagnostics->New->DWORD(32-bit)value, rename the new DWORD entry to GPSvcDebugLevel and set the value as 0x30002 (hexadecimal)

e) After you modified the registry, please run the command gpupdate /force at command prompt to refresh the policy. Reboot the computer to reproduce the issue. The log file is written to the %SystemRoot%\Debug\UserMode folder.



Reboot the workstation and reproduce the issue

Please send the log to me (PM) or post online. Generally code 5 means access denied which we are seeing here.

Thanks
Sukh

[beany1]

Hi

Many thanks - I did the registry change and noticed on RSOP.msc properties for Computer Configuration the reason for it not being applied had changed this time the message stated "logon failure: unknown user name or bad password" which is confusing as I can log in to both servers with my login and as far as I can tell replication is working fine. DCDIAG reports no errors and AD users are replicated almost instantly. In this log its first of all the problem with Logon failure followed by the usual Access Denied failure.

- Couldn't find how to attach in PM so iv posted here. gpsvc.txt

[sukh]

Hi

How many DC have you got?
How many of them are running DNS?
On the client machine can you connect to \\yourdomain.com\sysvol\yourdomain.com?
Can you run netdiag and check for errors?

Thanks
Sukh

[sukh]

Hi

Can you also, remove one PC from the domain and delete the computer account associated with that from AD. Then rename the PC and join it to the domain with a new computer name and let me know the results.

Thanks
Sukh

[beany1]

Hi,

Got 2 DCs one of them running windows server 2003 the other server 2008.

Both are running DNS - is this incorrect?

Client can connect to the sysvol folder - typing that command opens up the sysvol folder in windows explorer.

Ran netdiag on the server running 2003 and all tests passed. Unsure of a 2008 alternate.

Tried removing one PC from the domain deleted account from AD, added it, same problem. Did it again but this time didn't move it in AD left it in the computers OU. Same problem. Tried deleting profiles in registry as well as from Users folder on the client. same problem.

Thanks

[sukh]

Hi

You can have DNS running on both servers that's fine.

Can you run GPRESULT /H GPReport.html on the problem PC and send/post the result?

Can you also send/post the Group Policy Operation Logs from Event Viewer.

Thanks
Sukh

[beany1]

Hi

I did gpresult on 1 of the machines that I've left completely alone to find that it has decided the error has now changed? Iv attached this as gpresult.
On another machine from the suite I have re-imaged it and once it had rejoined the domain first GPO sync was error free however after running gpupdate /force I once again have the same error that the whole suite is having attached as gpresultfromnew. gpresults.zip

Cheers

[sukh]

Hi

While I look at the logs, can you confirm when you removed the PC from the domain, did you delete the computer account, wait for replication so it doesn't exist. Then RENAME the computer to a different NAME completely and then join to domain?

Thanks
Sukh

[sukh]

Hi

Can you also send me the GPO Operational logs from Event Viewer?

Thanks
Sukh