Windows cannot access the file gpt.ini for GPO?

Have you read through this?

http://eventid.net/display.asp?eventid=1058&eventno=1752&source=Userenv&phase=1

I just don't know what's wrong with this thread. So many questions have been asked for the same at EE and still unsolved. Services run under the security context of System Account so they should have access to this folder or file as long as this account is listed on the security tab of folder or file.

Now it says "Access is deniend" and there is nothing related to permissions becuase you will find your account and system account already listed on the security tab.

I just want to know the solution for this if someone could.

I think I **MAY** have aleviated the issue but I am still unsure....  I went to the \\domain name\sysvol\... folder and right clicked the GPO file and added EVERYONE with r/w rights to the file and it seems to have gone away.  In edition, I also recreated the file....   GPUPDATE /force now gives me the standard INFO entry in event viewer.

Well the errors came back... STRANGE as hell...

It has worked for you but I remember many threads were just ignored because of this Event ID.

<Laughing>.....I just knew that....

Anyway I will try my best to troubleshoot this issue anyhow.

How many NICs you have?

Any how they are connected?

SystmProg I've actually come across two different fixes for this error (one time but it definitely worked).  In one case the domain controller had crashonauditfail enabled via group policy.  Once the DC security log filled up the server bounced and crashonauditfail was changed to a value of 2.  This means that the only access to the server had to be via an administrator.  Misleading because we could still hit the sysvol share, but the machine account which is not an administrator apparently could not.  This scenario causes all sorts of wierd issues, fortunately its easy to fix.  Just clear the security log, set crashonauditfail back to 0, and reboot.  That was how I fixed it for member servers getting this error.  The DC's were also getting it, to fix the error on them I just granted the Enterprise Domain Controllers (?) group the apply policy permission for the policy object on the Domain Controllers OU.

BTW for those not familiar, the full path to the above mentioned key is HKLM\System\CurrentControlSet\Control\LSA\crashonauditfail.

2 nics on the device, 1st nic has the GW defined, the 2nd does not.

Is this a domain controller or member server?

DC

Can you disable one NIC?

I am having same issue with all my win2k and xp workstations with single dc running win2k3.  Anyone have any suggestions would be appreciated

I have these errors as well. Found something on this regarding SMB signing, but MS warns that if you screw up, you will not be able to get back into GP and undo the errors.  Basically, if this does not work, then you are hosed.  Pretty ominous.

http://support.microsoft.com/default.aspx?scid=kb;en-us;839499

Ultimate goofy solution -

The CN for this GPO indicates that it is the default domain policy.  Make a change to the default policy (I changed the audit level).  The GPT.ini file gets changed, and permissions on it are overwritten.

I wish I had checked permissions before hand, but alas, I did not.

timharkin's solution works like a charm!

My problem was resolved by running dfsutil /PurgeMupCache

timharkin's solution worked for me.  

But I also tried editing permissions on the container folder to match another existing container folder.  in other words, check security settings of policy folder...example \\your.dc\sysvol\your.domain\policies\{container folder you are seeing errors with} and compare to another policy container to see if the permissions are the same.  It seemed like I couldn't update the group policy until I had copied security settings from another policy folder that was working.

Now, I just would like to find out the WHY to avoid this in the future!

Hi Marc Nivens

I tried applying your solution but after right-clicking on domain controllers OU I did not find a policy tab only a group policy tab and when I clicked on it there was only an Open button available.  After clicking on this Open button I then came to Group Policy Management window.  I could not then find an apply group policy permission.  CAn you help?

jmattson30,

why you just have an Open button is because you install the GPMC.  Its a great tool.  So how do you get to where Marc was talking about?  dig down into your GPOs and look for Default Domain Controller policy and right click goto edit.  Then you right click on the very top of the gpo (it says Default Domain Contrller policy) then go to properties

I fixed this on the SBS2003 SP2 box with the help of following:

1) Change the binding order of the network adapters so that the adapter that is listed at the top of the Connections list HAS File and Printer Sharing bound to it.
2) Make sure File and Printer Sharing for Microsoft Networks IS enabled on the interface.
3) Disable unplugged network adapters if you have more than one adapters in the computers.
4) Run the gpupdate /force command and review the eventlog. If You see the 1704 Info about Security policy in the GPO applied sucessfully, then it's fixed.

Hope it helps.
Big thanks for this goue out to chicagotech.net

Also, be sure to check the TCP/IP Netbios helper service status, if You want to be able to use the Netbios name resolution

marc nivens solution worked like a dream for me, thanks also to Ken2002 who helped me understand what he was talking about :)

Hi all,
I came to this page from another page. This page itself leaded to a number of other chained sites. This seems a generic problem.  Causes seem to be uncountable.  I have applied a multitude of remedies, including:
1 - Flushing DFS mup cache.
2 - Changing NICs order and checking File and Print Sharing bindings.
3 - Granting Enterprise Domain Controllers and Authenticated Users groups "apply group policy" permissions.
4 - Adding an entry to the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GpNetworkStartTimeoutPolicyValue = 60.

When fixing this, and after each solution, I ran gpupdate / force. Errors were still reported. Fixes above are organized in reverse order.  For me, 2 and 1 above were the ones that saved the day.  I needed not restart any DC.
It has now been 10 GP application cycles (10 x 5 mnts), since it was fixed for me,  and no 1058 or 1030 show in the event log.
So, I have a suggestion for experts of this site:
Compile a case study.  Include every possible reason, based on posts in all related sites, and depict the "best" approach for each case.  For example, in my case, I can confirm that this problem is of no apparent cause and, in my case again, NICs order change and mup flushing was the remedy. What I want to say is, instead of having a user pulling his hair by following chained links, engineer 1 page solution that includes as much scenarios as possible.  Each scenario shall include cause and solution.  This way, I believe, and hope too, you will have more people joining this forum since it is a million case one stop shop.

Regards
Yba

hello,

had the same problem on 2 DC's and used what Bozhnev said " dfsutil /PurgeMupCache " and errors on both servers are gone, thanks Bozhnev.

In our case, we found that the Default Domain Controllers Policy was "enforced" in GPMC.  We removed the "enforced" option and then ran the gpupdate /force command and received the
Event Type:      Information
Event Source:  SceCli
Event Category:  None
Event ID:      1704
Date:      7/10/2009
Time:      2:33:11 PM
User:      N/A
Computer:      
Description:  Security policy in the Group policy objects has been applied successfully.


The other events have not returned yet and we are keeping our fingers crossed.

AS YOU ARE RUNNING INTO, THERE ARE A LOT OF ISSUES THAT CAN CAUSE THESE ERRORS:

So, I would like to help you diagnose and fix your errors.

Please see the link below:
https://www.experts-exchange.com/articles/OS/Microsoft_Operating_Systems/Server/2003_Server/Diagnosing-and-repairing-Events-1030-and-1058.html

same errors as described. Windows 2003 Exchange Server and Windows 2003 Server both DCs in AD environment.

Can access the sysvol share without incident.

-GPO permissions for Enterprise Domain Controllers was not set to allow "apply group policy"
Authenticated users was set to allow.....

Changing the GPO permissions for Ent. Domain Controllers and updating group policies did not change 1058 and 1033 Events.

-NIC adapter that is listed at the top of the Connections list HAS File and Printer Sharing bound to it.

-Changed the Domain Controller default policy. GPupdate..... same errors

-What seems to have fixed this error for me was to run "dfsutil /PurgeMupCache" then update group policies.

Event 1704 followed.

Thanks everyone!