GROUP POLICY ERROR & ACCESS DENIED

Hi, what's my problem???


When i try to create a policy, i receive this error,  Group policy error  "You do not have permissions to perform this operation - access denied,   why????


tudeaticoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike_KaubleCommented:
Off the top of my head, I'd say because you don't have permissions to create group policies.

Can you give us some more information?

If you're using the GP management tool (and if you're not, you should be), go to the Group Policy Object folder and click on the "Delegation" tab.

Anyone who can create GPO's in that domain are listed in there.

What does yours say and are you one of those groups?
0
tudeaticoAuthor Commented:
I'm a domain adminsitrator (the administrator can create GPO's in anywhere) , when i want to create a policie for an OU, the system say me You do not have permissions to perform this operation - access denied.

I've tried to delegate permissions for an adminstrator user on that OU, and i've the same problem.

0
Mike_KaubleCommented:
Well. . .the administrator *should* be able to create GP's anywhere.

But unless you go check and make sure that you still have permissions and that someone else didn't change them or they somehow just got changed, you can't be absolutely sure.

That tab will tell you specifically whether or not you still have permissions.
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

tudeaticoAuthor Commented:
where is the GP management tool ???
0
Mike_KaubleCommented:
If you have it installed, it would be listed in the Administrative Tools section of the Start Menu. Also, when you click on an OU, it should say that GP's are handled with that tool and open the tool for you.

If not:

http://www.microsoft.com/windowsserver2003/gpmc/gpmcintro.mspx

You can download it there and install it. Quick and simple, and it's worth the 5 minutes to do it.

Good luck.
0
tudeaticoAuthor Commented:
i've verified that the domain admins can create GPO's, i'm using GP management tool, and when i try to create a GPO under GROUP POLICY OBJECTS, i receive the error access is denied.
0
Mike_KaubleCommented:
Hmmmmm.

Two things I would try next. If you're using an account that simply belongs to the Domain Admin group, rather than the built in Administrator account, check and be sure that you're still part of that group.

If that looks okay, then create a test group, and a test user and join the user to that group.

Then, in the GP management tool, give that group permission to create group policy. That will tell you if maybe you group is buggered somehow.

Sorry if this seems kinda slow and such, but these are the steps I would take.
0
tudeaticoAuthor Commented:
ok, tomorrow i try to make this steps, but i've a question for you, it' can be my problem is because i've a NT 4.0 relationship with de windows 2003 domain?????
0
Mike_KaubleCommented:
That I don't know about.

Have you been able to create GP's before? Has anything changed, such as possibly putting the controller into native mode?

Usually I try to answer all of the really, really basic questions before I go somewhere else?

You might also want to check the update log. Maybe something was updated that has caused some sort of a problem.

Good luck. Let me know how it turns out.
0
WeHeCommented:
> but i've a question for you, it' can be my problem is because i've a NT 4.0 relationship with de windows 2003 domain?????
definitly not.
are you sure, nobody changed the rights for domain admins?
did you try it as an enterprise admin?
0
tudeaticoAuthor Commented:
i'm enterprise admin , domain admin & group policy creator
0
nihlcatCommented:
I had the same error when the SYSVOL share was moved on one of my DCs, causing an file replication train wreck (rookie mistake, don't ask ;)

This article looks like one I reviewed, it MAY be relevant but I am a bit skeptical.
http://support.microsoft.com/?kbid=839499

You should post some errors from your event logs for us to look at (yes, there will be some I'm betting).  And also check NTFS file permissions on you SYSVOL share, where your GPs are stored.
0
tudeaticoAuthor Commented:
I've revised this article http://support.microsoft.com/?kbid=839499, the registry entries and default domain policies propierties are good, anything  else idea ??????
0
nihlcatCommented:
What errors is your event log showing?
0
tudeaticoAuthor Commented:
Event id: 1030 and 1057,  IMPORTANT: I don't have The error 1058
0
nihlcatCommented:
Sorry I should have asked for the entire entry.  Can you paste those?  ie:

Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1030
Date: 11/21/2003
Time: 12:55:33 PM
User: N/A
Computer: <ComputerName>
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.
0
tudeaticoAuthor Commented:
Event Type: Error
Event Source: userenv
Event Category: None
Event ID: 1057
Date: 11/21/2003
Time: 12:55:33 PM
User: N/A
Computer: <ComputerName>
Description: Windows cannot determine the user or computer name. (The specified user does not exist. ). Group Policy processing aborted

&


Event Type: Error
Event Source: SceCli
Event Category: None
Event ID: 1030
Date: 11/21/2003
Time: 12:55:33 PM
User: N/A
Computer: <ComputerName>
Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine.

0
nihlcatCommented:
Ok good.  Now let's see if we can isolate.  From a command prompt type:
find /i "cannot find" %SYSTEMROOT%\security\logs\winlogon.log
0
tudeaticoAuthor Commented:
it report this


Access denied - C:\WINDOWS File not found - \SECURITY\LOGS\WINLOGON.LOG
0
nihlcatCommented:
Hrm...  Ok, that path must be different.  We need to find the location of your winlogon.log file and look for errors.  Can you find it and look for errors containing "cannot find".  This may shed some light on the error.
0
tudeaticoAuthor Commented:
Errors into the file winlogon.log


1.- Error 0 to send control flag 1 over to server.

Make a local copy of \\DOMAIN\sysvol\DOMAIN\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkDomain GPO_INFO_FLAG_BACKGROUND )

Make a local copy of \\DOMAIN\sysvol\DOMAIN\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
GPLinkOrganizationUnit GPO_INFO_FLAG_BACKGROUND )

This error it repeat every day.
0
nihlcatCommented:
Ok!  =)

Those 2 policies are your default domain policies:

{31B2F340-016D-11D2-945F-00C04FB984F9}---Default Domain Policy
{6AC1786C-016F-11D2-945F-00C04fB984F9}---Default Domain Controllers Policy

You may wish to try and reset permissions on those 2 objects:
http://support.microsoft.com/?kbid=226243

Also, if SYSVOL path has been changed on any of your replication partners (DCs), that can also produce errors similar to this.  You should check your even log under FRS tab.  It will be complaining about file locations if if can't find SYSVOL where it thinks it should be.  

Obviously, check to be sure FRS service is running on all DCs, and test out your DNS, to ensure the you can resolve the names of all your other DCs.
0
tudeaticoAuthor Commented:
but the link http://support.microsoft.com/?kbid=226243 y for Windows 2000 no????,

The SYSVOL path hasen't changed, and i can find SYSVOL perfectly in all DC's. Also i can resolve the names ok
0
nihlcatCommented:
Ok good!  Yes, you're right about that 2000 article, although it should work for both.  (I think the GP template would still be in the same location)  Either way, don't try that.  I have actually found an M$ article concerning SMB signing that may apply.  Specifically, review the Cause and Resolution section:

http://support.microsoft.com/?kbid=839499

If that does not apply, are there no other even log errors?  DNS, Directory Services, FRS?  I am thinking that there is an unseen problem with DNS.

It was never really asked, but did anything change?  Any server updates?
0
tudeaticoAuthor Commented:
i revised the article http://support.microsoft.com/?kbid=839499 in all DC's, The entries in the regisgry for all dc's are good, and the policies too.
0
nihlcatCommented:
Also, is DFS running on your DCs?
0
tudeaticoAuthor Commented:
i think no, why?,
0
nihlcatCommented:
Just curious, found an article, but if no DFS it's not relevant.  I found the correct instructions for 2003 to reset Permissions on your GPs:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B324800

Another option available to you is to restore your GPOs to their default state.  Obviously you'll lose any changes that were made.  You should consider this as last resort:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/dcgpofix.asp
0
tudeaticoAuthor Commented:
Do you know, what was the problem. The user Administrator, was disabled and the logon name was changed. That was the problem!!!!!!!!!!!!!!!!!. A lot of thanks at all of yours. You are great. Thanks.
0
nihlcatCommented:
Whew!  i'M GLAD you figured it out!  You should post in the support forum to get a refund of your points.  Be sure to include a link to this post (they prefer that).

Cograts!!!

;)
0
CetusMODCommented:
Question PAQ'd
500 points refunded.

CetusMOD
Community Support Moderator
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.