wirelessadmin
asked on
Group Policies: Access Denied Event: 1058 Event: 1030 Windows 2003
I cant find where the policy that is causing this error, How do I find this out?
I receive the following errors in event viewer
Event: 1058
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945
For more information, see Help and Support Center at
Event ID: 1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
I receive the following errors in event viewer
Event: 1058
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945
For more information, see Help and Support Center at
Event ID: 1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
Do you get that on your DC, every 5 minutes? Open a command prompt and enter
dfsutil /purgemupcache
Group Policy processing fails with Events 1058 and 1030 in Windows Server 2003
http://support.microsoft.com/?kbid=830676
dfsutil is part of the Support Tools; either from the install CD, or, if you have SP1 installed, from here:
Windows Server 2003 Service Pack 1 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d&displaylang=en
dfsutil /purgemupcache
Group Policy processing fails with Events 1058 and 1030 in Windows Server 2003
http://support.microsoft.com/?kbid=830676
dfsutil is part of the Support Tools; either from the install CD, or, if you have SP1 installed, from here:
Windows Server 2003 Service Pack 1 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d&displaylang=en
>>>{31B2F340-016D-11D2-945
This GUID is defined by Default Domain Policy. AD Tools query DNS to find domain controller in the same domain. Make sure DNS is working properly and SRVs for this DC is registered properly in DNS.
You can run *netdiag /fix* and *dcdiag /fix* or restart Netlogon service to re-register DC SRVs in DNS.
You can also try Dcgpofix to re-set GPT in AD database.
Make sure SYSTEM and Administrator account have Full Control Permission on SYSVOL folder and its sub-folder.
Let us know. :-)
This GUID is defined by Default Domain Policy. AD Tools query DNS to find domain controller in the same domain. Make sure DNS is working properly and SRVs for this DC is registered properly in DNS.
You can run *netdiag /fix* and *dcdiag /fix* or restart Netlogon service to re-register DC SRVs in DNS.
You can also try Dcgpofix to re-set GPT in AD database.
Make sure SYSTEM and Administrator account have Full Control Permission on SYSVOL folder and its sub-folder.
Let us know. :-)
ASKER
DNS is working properly and netlogon service was restarted.
I am trying to only do dcgpofix as a last resort
error still shows up
I am trying to only do dcgpofix as a last resort
error still shows up
ASKER
I get the following error after running DCGPOFIX
This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.
WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.
You are about to restore Default Domain policy and Default domain Controller po
licy for the following domain
HMBIREO.local
Do you want to continue: <Y/N>? y
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>? y
Unable to read EFS certificates from Registry.pol file of Default Domain Policy.
The error was
Configuration information could not be read from the domain controller, either b
ecause the machine is unavailable, or access has been denied
This utility can restore either or both the Default Domain Policy or the
Default Domain Controllers Policy to the state that exists immediately after
a clean install. You must be a domain administrator to perform this operation.
WARNING: YOU WILL LOSE ANY CHANGES YOU HAVE MADE TO THESE GPOs. THIS UTILITY
IS INTENDED ONLY FOR DISASTER RECOVERY PURPOSES.
You are about to restore Default Domain policy and Default domain Controller po
licy for the following domain
HMBIREO.local
Do you want to continue: <Y/N>? y
WARNING: This operation will replace all 'User Rights Assignments' made in the c
hosen GPOs. This may render some server applications to fail. Do you want to con
tinue: <Y/N>? y
Unable to read EFS certificates from Registry.pol file of Default Domain Policy.
The error was
Configuration information could not be read from the domain controller, either b
ecause the machine is unavailable, or access has been denied
1. First make sure you have logged on as *Domain Administrator*.
2. Next make sure DC SRVs for this domain are registered in DNS server. Try running *Dcdiag /fix* and *Netdiag /fix*. Any AD Tools you run will need to query DNS servers to find LDAP servers or DCs.
3. Next make sure firewall is disabled.
4. Make sure this server is also a GC.
2. Next make sure DC SRVs for this domain are registered in DNS server. Try running *Dcdiag /fix* and *Netdiag /fix*. Any AD Tools you run will need to query DNS servers to find LDAP servers or DCs.
3. Next make sure firewall is disabled.
4. Make sure this server is also a GC.
ASKER
The problem was Share and NTFS permissions were not set properly for the SYSVOL Share:
Permissions for C:\
NTFS Permissions
Administrators = full control
Creator owner = none checked, but special permissions checked and greyed out
Everyone = none checked, but special permissions checked and greyed out
System = Full Control
Domain\Users = Read & Execute, List Folder contents, Read
Permissions for C:\Windows\Sysvol
Share
Do not share this folder
NTFS
Administrators = full control
Authenticated Users = Read & Execute, List Folder Contents, Read
Creator Owner = none checked, but special permissions checked and greyed out
Server Operators = Read & Execute, List Folder contents, Read
System = Full Control
Permissions for C:\Windows\Sysvol\Sysvol
Share
Share this folder
Maximum Allowed
Administrators = full control
Authenticated Users = Full Control
Everyone = Read
NTFS
Administrators = Full Control, greyed out (inherited)
Authenticated Users = Read & Execute, List Folder contents, Read
Creator Owner = none checked, but special permissions checked and greyed out
Server Operators = Read & Execute, List Folder contents, Read, (greyed out)
System = Full Control, greyed out (inherited)
After I have set the proper file permissions I ran the following from command prompt
secedit /configure /cfg %windir%\repair\secsetup.i
<enter>
Gpupdate
<enter>
reboot
After I rebooted, the problem was resolved
Permissions for C:\
NTFS Permissions
Administrators = full control
Creator owner = none checked, but special permissions checked and greyed out
Everyone = none checked, but special permissions checked and greyed out
System = Full Control
Domain\Users = Read & Execute, List Folder contents, Read
Permissions for C:\Windows\Sysvol
Share
Do not share this folder
NTFS
Administrators = full control
Authenticated Users = Read & Execute, List Folder Contents, Read
Creator Owner = none checked, but special permissions checked and greyed out
Server Operators = Read & Execute, List Folder contents, Read
System = Full Control
Permissions for C:\Windows\Sysvol\Sysvol
Share
Share this folder
Maximum Allowed
Administrators = full control
Authenticated Users = Full Control
Everyone = Read
NTFS
Administrators = Full Control, greyed out (inherited)
Authenticated Users = Read & Execute, List Folder contents, Read
Creator Owner = none checked, but special permissions checked and greyed out
Server Operators = Read & Execute, List Folder contents, Read, (greyed out)
System = Full Control, greyed out (inherited)
After I have set the proper file permissions I ran the following from command prompt
secedit /configure /cfg %windir%\repair\secsetup.i
<enter>
Gpupdate
<enter>
reboot
After I rebooted, the problem was resolved
ASKER
administrator please refund the points
ASKER
delete with points refunded
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://support.microsoft.com/default.aspx?scid=kb;en-us;810907
http://support.microsoft.com/?id=314494