fsjavan32
asked on
Group policy.. access denied?
What would cause the cause me to get an access denied when I run the utility to verify the GP settings from the help->Tools-.Advanced system info-> View Group policy settings applied. My account has admin right and this command worked previously on this computer and another..
I am going to also assume the previous problem is the reason the group policy is not being applied properly on a enw computer that I have setup. I was able to vew the gp settings applied on that computer, and it shows the gpo name that it should be getting, but the settings are not being applied.
I thought I had group policy pretty much figured out, guess I was wrong >:(
I am going to also assume the previous problem is the reason the group policy is not being applied properly on a enw computer that I have setup. I was able to vew the gp settings applied on that computer, and it shows the gpo name that it should be getting, but the settings are not being applied.
I thought I had group policy pretty much figured out, guess I was wrong >:(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am not sure what "it" is you are refering to in your first question. There is a computer and a user GPO that is being applied properly on my computer, (or past settings from the gpos are being kept if it is not applying when I log in). I noticed when I ran gpresult or the html version of this command I got an access denied prompt.
This command has worked previously on my computer with the same login and credentials. I have also tried this command on another computer that I had previously run the command on when I was doing some troubleshooting. It does not work there now either.
As far as read and apply on the GPO rights... My newbiness will show, I do not remember specifing any rights to the gpo. I setup OUs, moved the specific user and/or computer into the OUs that I needed them in, then created a GPO for each OU. The security filter for each OU is set for authenticated users.
This command has worked previously on my computer with the same login and credentials. I have also tried this command on another computer that I had previously run the command on when I was doing some troubleshooting. It does not work there now either.
As far as read and apply on the GPO rights... My newbiness will show, I do not remember specifing any rights to the gpo. I setup OUs, moved the specific user and/or computer into the OUs that I needed them in, then created a GPO for each OU. The security filter for each OU is set for authenticated users.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I understand there are two different policies. Both computer and user policies are configured, were working, and are suppose to be applied. I use the GPMC. I have authenticated users in the security group. Properties for authenticated users is greyed out so I can not check what they have.
The problem is I get access denied when I run gpresult on the worksation. A few weeks ago I was able to run gpresult on the workstation. The only computer I have found that I can run gpresult and not get access denied is the server.
The problem is I get access denied when I run gpresult on the worksation. A few weeks ago I was able to run gpresult on the workstation. The only computer I have found that I can run gpresult and not get access denied is the server.
ASKER
the error I get is "Error login failure: unknown username or password" when I run gpresult. I get "access denied" if I run the html report form the windows help.
ASKER
It seems that the computer policy that I have enabled for our inventory tracking software is causing the problem. The settings that I have in place for that policy:
Enables WMI
Enables WMI driver extension
Enables WMI Performance adapter
Enables ICMP exceptions (echo requets)
Enables remote admin exception
Extra registry settings:
Windows firewall exceptions for the inventory software to install and audit the system.
Not sure why this would cause the computers to appear to loose some administrative abilities.
Another thing I have noticed is the ATI catalyst drivers scream at startup saying the catayst control center needs to have admin rights.
Enables WMI
Enables WMI driver extension
Enables WMI Performance adapter
Enables ICMP exceptions (echo requets)
Enables remote admin exception
Extra registry settings:
Windows firewall exceptions for the inventory software to install and audit the system.
Not sure why this would cause the computers to appear to loose some administrative abilities.
Another thing I have noticed is the ATI catalyst drivers scream at startup saying the catayst control center needs to have admin rights.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
disable your firewall temporary to see if the issue go away
you are member of domain admin, aren't you?
you are member of domain admin, aren't you?
ASKER
diabling the firewall did not change anything.
My account is not a member of the "Group policy creator owners"
My account is a member of Administrators, domain admins, domain users, enterprise admins,remote desktop users, schema admins, and users.
I have the ability manipulate the GPO and OU however I want with these settings.
Let me backtrack a bit to give some extra information.
I created a "trackit" OU. I then created a trackit GPO for that UO which is only manipulating computer configuration settings which I listed above. I then moved all computers in AD to the trackit OU. When I did that the GP worked beautifully all workstations accepted the audit and an inventory was pulled from the computers. THe problem is the side effect that you can not run gpresult from the command prompt or the html version of gpresult in the windows help. Also, any computers with an ATI catalyst control center errors on boot saying the user needs admin rights.
Neither of these side effect started until that trackit GPO started functioning on the computers. All accounts have this problem not just mine. I noticed this when I set a new workstation initally I was able to run gpresult. When I went to AD and moved that computer into the trackt OU so the trackit GPO would make the changes I needed, gpresult would not run any longer.
My account is not a member of the "Group policy creator owners"
My account is a member of Administrators, domain admins, domain users, enterprise admins,remote desktop users, schema admins, and users.
I have the ability manipulate the GPO and OU however I want with these settings.
Let me backtrack a bit to give some extra information.
I created a "trackit" OU. I then created a trackit GPO for that UO which is only manipulating computer configuration settings which I listed above. I then moved all computers in AD to the trackit OU. When I did that the GP worked beautifully all workstations accepted the audit and an inventory was pulled from the computers. THe problem is the side effect that you can not run gpresult from the command prompt or the html version of gpresult in the windows help. Also, any computers with an ATI catalyst control center errors on boot saying the user needs admin rights.
Neither of these side effect started until that trackit GPO started functioning on the computers. All accounts have this problem not just mine. I noticed this when I set a new workstation initally I was able to run gpresult. When I went to AD and moved that computer into the trackt OU so the trackit GPO would make the changes I needed, gpresult would not run any longer.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Stufox: No the OU is not a sub of the computers folder in AD. The Trackit OU on the first level under the domain. The Trackit OU is the first and only comptuer OU.
Strongline: I must be doing somethign wrong. When I rightclick on the Trackit OU in ADUC then click properties I see "Genera" "Managed by" "Com+" "Group Policy" I do not see a security tab.. I checked the OU in GPMC and I only get "general" "Managed by" and "Com+"
In my pointer post Kprad posted this.
kprad:check this out:
http://support.microsoft.com/kb/932460
can you connect from 1 Xp comp to another using the compmgmt console.
looks like it could be a problem with WMI
This looked promising but I am going to have to give it more time to let the changes filter through. This didnt seem to work, so I removed my computer from the Trackit OU. I gave it a good 2-3 hours and I was still getting this problem. even after restarts. This morning it finally pushed through and my computer didnt pick up the GPO. This may take me some time to troubleshoot your suggestions.
Is there not a way to speed up the changes cycling through the .system?
Strongline: I must be doing somethign wrong. When I rightclick on the Trackit OU in ADUC then click properties I see "Genera" "Managed by" "Com+" "Group Policy" I do not see a security tab.. I checked the OU in GPMC and I only get "general" "Managed by" and "Com+"
In my pointer post Kprad posted this.
kprad:check this out:
http://support.microsoft.com/kb/932460
can you connect from 1 Xp comp to another using the compmgmt console.
looks like it could be a problem with WMI
This looked promising but I am going to have to give it more time to let the changes filter through. This didnt seem to work, so I removed my computer from the Trackit OU. I gave it a good 2-3 hours and I was still getting this problem. even after restarts. This morning it finally pushed through and my computer didnt pick up the GPO. This may take me some time to troubleshoot your suggestions.
Is there not a way to speed up the changes cycling through the .system?
ASKER
Sorry for the long delay, It appears that the problem ended up being caused from having the same WMI settings in both the user and the computer (trackit) OU. I removed the WMI changes from the user OU and everything works fine now.
Since none of the responses was the exact solution I am splitting points to everyone for helping.
Since none of the responses was the exact solution I am splitting points to everyone for helping.
does the comptuer or user you are logged onto/as have read AND apply GPO rights to the GPO itself??