?
Solved

GROUP POLICY ERROR & ACCESS DENIED

Posted on 2004-11-04
32
Medium Priority
?
3,035 Views
Last Modified: 2008-03-10
Hi, what's my problem???


When i try to create a policy, i receive this error,  Group policy error  "You do not have permissions to perform this operation - access denied,   why????


0
Comment
Question by:tudeatico
  • 14
  • 10
  • 5
  • +2
31 Comments
 
LVL 2

Expert Comment

by:Mike_Kauble
ID: 12497279
Off the top of my head, I'd say because you don't have permissions to create group policies.

Can you give us some more information?

If you're using the GP management tool (and if you're not, you should be), go to the Group Policy Object folder and click on the "Delegation" tab.

Anyone who can create GPO's in that domain are listed in there.

What does yours say and are you one of those groups?
0
 

Author Comment

by:tudeatico
ID: 12497460
I'm a domain adminsitrator (the administrator can create GPO's in anywhere) , when i want to create a policie for an OU, the system say me You do not have permissions to perform this operation - access denied.

I've tried to delegate permissions for an adminstrator user on that OU, and i've the same problem.

0
 
LVL 2

Expert Comment

by:Mike_Kauble
ID: 12497495
Well. . .the administrator *should* be able to create GP's anywhere.

But unless you go check and make sure that you still have permissions and that someone else didn't change them or they somehow just got changed, you can't be absolutely sure.

That tab will tell you specifically whether or not you still have permissions.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:tudeatico
ID: 12497538
where is the GP management tool ???
0
 
LVL 2

Expert Comment

by:Mike_Kauble
ID: 12497658
If you have it installed, it would be listed in the Administrative Tools section of the Start Menu. Also, when you click on an OU, it should say that GP's are handled with that tool and open the tool for you.

If not:

http://www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx

You can download it there and install it. Quick and simple, and it's worth the 5 minutes to do it.

Good luck.
0
 

Author Comment

by:tudeatico
ID: 12497758
i've verified that the domain admins can create GPO's, i'm using GP management tool, and when i try to create a GPO under GROUP POLICY OBJECTS, i receive the error access is denied.
0
 
LVL 2

Expert Comment

by:Mike_Kauble
ID: 12497923
Hmmmmm.

Two things I would try next. If you're using an account that simply belongs to the Domain Admin group, rather than the built in Administrator account, check and be sure that you're still part of that group.

If that looks okay, then create a test group, and a test user and join the user to that group.

Then, in the GP management tool, give that group permission to create group policy. That will tell you if maybe you group is buggered somehow.

Sorry if this seems kinda slow and such, but these are the steps I would take.
0
 

Author Comment

by:tudeatico
ID: 12498697
ok, tomorrow i try to make this steps, but i've a question for you, it' can be my problem is because i've a NT 4.0 relationship with de windows 2003 domain?????
0
 
LVL 2

Expert Comment

by:Mike_Kauble
ID: 12498879
That I don't know about.

Have you been able to create GP's before? Has anything changed, such as possibly putting the controller into native mode?

Usually I try to answer all of the really, really basic questions before I go somewhere else?

You might also want to check the update log. Maybe something was updated that has caused some sort of a problem.

Good luck. Let me know how it turns out.
0
 
LVL 11

Expert Comment

by:WeHe
ID: 12499926
> but i've a question for you, it' can be my problem is because i've a NT 4.0 relationship with de windows 2003 domain?????
definitly not.
are you sure, nobody changed the rights for domain admins?
did you try it as an enterprise admin?
0
 

Author Comment

by:tudeatico
ID: 12501918
i'm enterprise admin , domain admin & group policy creator
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12505821
I had the same error when the SYSVOL share was moved on one of my DCs, causing an file replication train wreck (rookie mistake, don't ask ;)

This article looks like one I reviewed, it MAY be relevant but I am a bit skeptical.
http://support.microsoft.com/?kbid=839499

You should post some errors from your event logs for us to look at (yes, there will be some I'm betting).  And also check NTFS file permissions on you SYSVOL share, where your GPs are stored.
0
 

Author Comment

by:tudeatico
ID: 12536421
I've revised this article http://support.microsoft.com/?kbid=839499, the registry entries and default domain policies propierties are good, anything  else idea ??????
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12536459
What errors is your event log showing?
0
 

Author Comment

by:tudeatico
ID: 12538640
Event id: 1030 and 1057,  IMPORTANT: I don't have The error 1058
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12538908
Sorry I should have asked for the entire entry.  Can you paste those?  ie:

Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1030
Date: 11/21/2003
Time: 12:55:33 PM
User: N/A
Computer: <ComputerName>
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
0
 

Author Comment

by:tudeatico
ID: 12542267
Event Type: Error
Event Source: userenv
Event Category: None
Event ID: 1057
Date: 11/21/2003
Time: 12:55:33 PM
User: N/A
Computer: <ComputerName>
Description: Windows cannot determine the user or computer name. (The specified user does not exist. ). Group Policy processing aborted

&


Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1030
Date: 11/21/2003
Time: 12:55:33 PM
User: N/A
Computer: <ComputerName>
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12543323
Ok good.  Now let's see if we can isolate.  From a command prompt type:
find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log
0
 

Author Comment

by:tudeatico
ID: 12543596
it report this


Access denied - C:\WINDOWS File not found - \SECURITY\LOGS\WINLOGON.LOG
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12543975
Hrm...  Ok, that path must be different.  We need to find the location of your winlogon.log file and look for errors.  Can you find it and look for errors containing "cannot find".  This may shed some light on the error.
0
 

Author Comment

by:tudeatico
ID: 12545008
Errors into the file winlogon.log


1.- Error 0 to send control flag 1 over to server.

Make a local copy of \\DOMAIN\sysvol\DOMAIN\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\DOMAIN\sysvol\DOMAIN\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

This error it repeat every day.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12545519
Ok!  =)

Those 2 policies are your default domain policies:

{31B2F340-016D-11D2-945F-00C04FB984F9}---Default Domain Policy
{6AC1786C-016F-11D2-945F-00C04fB984F9}---Default Domain Controllers Policy

You may wish to try and reset permissions on those 2 objects:
http://support.microsoft.com/?kbid=226243

Also, if SYSVOL path has been changed on any of your replication partners (DCs), that can also produce errors similar to this.  You should check your even log under FRS tab.  It will be complaining about file locations if if can't find SYSVOL where it thinks it should be.  

Obviously, check to be sure FRS service is running on all DCs, and test out your DNS, to ensure the you can resolve the names of all your other DCs.
0
 

Author Comment

by:tudeatico
ID: 12545716
but the link http://support.microsoft.com/?kbid=226243 y for Windows 2000 no????,

The SYSVOL path hasen't changed, and i can find SYSVOL perfectly in all DC's. Also i can resolve the names ok
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12546350
Ok good!  Yes, you're right about that 2000 article, although it should work for both.  (I think the GP template would still be in the same location)  Either way, don't try that.  I have actually found an M$ article concerning SMB signing that may apply.  Specifically, review the Cause and Resolution section:

http://support.microsoft.com/?kbid=839499

If that does not apply, are there no other even log errors?  DNS, Directory Services, FRS?  I am thinking that there is an unseen problem with DNS.

It was never really asked, but did anything change?  Any server updates?
0
 

Author Comment

by:tudeatico
ID: 12546465
i revised the article http://support.microsoft.com/?kbid=839499 in all DC's, The entries in the regisgry for all dc's are good, and the policies too.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12546467
Also, is DFS running on your DCs?
0
 

Author Comment

by:tudeatico
ID: 12549552
i think no, why?,
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12555076
Just curious, found an article, but if no DFS it's not relevant.  I found the correct instructions for 2003 to reset Permissions on your GPs:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B324800

Another option available to you is to restore your GPOs to their default state.  Obviously you'll lose any changes that were made.  You should consider this as last resort:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dcgpofix.asp
0
 

Author Comment

by:tudeatico
ID: 12563072
Do you know, what was the problem. The user Administrator, was disabled and the logon name was changed. That was the problem!!!!!!!!!!!!!!!!!. A lot of thanks at all of yours. You are great. Thanks.
0
 
LVL 6

Expert Comment

by:nihlcat
ID: 12567970
Whew!  i'M GLAD you figured it out!  You should post in the support forum to get a refund of your points.  Be sure to include a link to this post (they prefer that).

Cograts!!!

;)
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 12623392
Question PAQ'd
500 points refunded.

CetusMOD
Community Support Moderator
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question