Link to home
Create AccountLog in
Avatar of alan2938

asked on

Access Denied when trying to open RSoP.msc or use gpresult.exe

I am trying to edit the restricted group access policies in AD but am getting Access Denied error. I also get access denied when I try to use gpresult.exe.

I went to Start -> Run -> rsop.msc
It says the RSoP snap-in was unable to generate the RSoP data due to the error listed below: Access Denied.

But I am logged in as the domain adminstrator!
Avatar of merowinger
Flag of Germany image

is your domain admin local admin?
Avatar of alan2938


The DOMAIN/Administrator account. I don't have the option of logging into the local machine.
is this your domain controller!
Have you configured some restrictions policies directly in the default domain or domain controller policy?

Maybe your policy is the problem why you get access denied
Yes it is the DC. I haven't configured anything. I inherited this domain and all it's problems with a new job.
can you check all policies? Or do you get also access denied?
I can check others. I think I am just going to create a new Group Policy to see if that helps. Nothing is really configured specifically for our domain as of yet.

I ran the WMI Diagnostic tool from Microsoft and it was throwing errors left and right. I've attached the log to this post in case you are curious.
i don't know the wmidiag tool...i think dcdiag would be more interesting!"
Why do you want to create a new policy?

The problem is 99% a wrong set policy value...check your existsing policy settings!

Download the Group Policy Management Console from Microsoft it provides more overview of all settings!
There is a hotfix from Microsoft for this issue.
I have already obtained that Hotfix. It is for WinXP only so I can't install it on my 2K3 server. When I try to install it on my XP client machine it tells me that it cannot be installed because my version of the OS is already newer than what I am trying to install, and that I need to install it on a system with no service packs.
And here are the results from dcdiag.exe:
Domain Controller Diagnosis
Performing initial setup:
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\SERVER1
      Starting test: Connectivity
         The host 23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.MYDOMAIN.DOMAIN.COM could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
          couldn't be resolved, the server name
         (SERVER1.MYDOMAIN.DOMAIN.COM) resolved to the IP address
         ( and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... SERVER1 failed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\SERVER1
      Skipping all tests, because server SERVER1 is not responding to directory service requests
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
   Running enterprise tests on : MYDOMAIN.DOMAIN.COM
      Starting test: Intersite
         ......................... MYDOMAIN.DOMAIN.COM passed test Intersite
      Starting test: FsmoCheck
         ......................... MYDOMAIN.DOMAIN.COM passed test FsmoCheck

Open in new window

looks like a dns problem!
Weeeell, I went through this morning after I demoted an old domain controller and removed all references to it from DNS so changes are I could have messed something up.

I ran DCdiag about a week ago and there were no problems. Just the RSoP issue.
so make sure that all your domain controllers and dns server are configured correct!
Its very important to have configured a dns server for a dc .... can also be itself
Heh, I know that a functional DNS is very important. DNS has been working perfectly before I removed the entries to my old DC, and seems to still be working exactly the same. I haven't received any complaints from my 40+ users when it comes to surfing the internet. However, this internal stuff goes a bit over my head so any suggestions are definitely appreciated.
we can only when you explain your network infrastrucuture a little bit....
dc's, dns servers, forwards, domains, forest...
The network is very straight forward, or at least it SHOULD be. And just so you know, I inherited this network along with a new job so now I am in the clean up phases.

It HAD two domain controllers. This morning I demoted one because it was Win2000. I changed the domain and forest from Mixed mode to Windows 2003. The single domain controller now is handling all DNS and DHCP queries. 50 workstations in the network, mixed PCs and MACs, 35 users.

I have a new server with a brand new install of Server 2003 that I want to bring into the domain as another domain controller to have the high availability failover for Active Directory, DNS, and DHCP.

So, like I said. SHOULD be simple. =)
ok first my suggestion is to not promote another domain controller befor all problems are solved :)

- So is the existing dns server configured on each computer (included itself with
- does the dns server has a forward and reverse lookup zone
- try start->run->nslookup on the server and post the result
I am not sure what you mean by "configured on each computer". Yes, every other machine in the domain is set to use the server as it's DNS server. The server itself is set to use the DNS servers of our ISP.

Yes, the server has forward and reverse lookup zones.

NSlookup from the server shows the following:
Default Server:
Address:  129.XXX.XXX.250

However, NSlookup from my workstation shows the following:
*** Can't find server name for address 192.XXX.XXX.3: Non-existent domain
*** Can't find server name for address 192.XXX.XXX.4: No response from server
*** Default servers are not available
Default Server:  UnKnown
Address:  192.XXX.XXX.3

.3 is the server, which is now the only domain controller/DNS/DHCP machine on the network. .4 is the old domain controller that I removed this morning. I restarted the DNS service and it didn't help.
are there configured two dns serverson the clients?
How is your DNS Server ISP configuration (screenshots)
Yes, there are two DNS servers on the clients. .3 and .4 (3 is the now one and only domain controller and 4 was the machine I removed yesterday).

Not sure what you are asking for regarding the screen shots. You want shots from the actual DNS somewhere or just TCP/IP Properties? Here is TCP/IP, which is the only place we tell the machine to use the ISP's DNS servers.
the isp dns server should be configured in your dns configuration!

Start->Run->dnsmgmt.msc->rightclick servername->Properties->Forwarders

In your TCP/IP Settings of the server there should be configured the dns server itself ( and the second dns server if it exists

Why this all?!?!
1. When a clients wants to resolve a requests the dns server which is configured in its tcpip settings (first checks it local cache and hosts file)
2. If a dns server wants to resolve a name (independed if this is a own request or some of a client) it also checks first the local cache, then the host file and then checks its dns database (because the server's is has itself configured). If it does not find a name to's 100% a name outside your domain...then the forwarders are important (e.g. internet dns)
Thanks for the heads up. The DNS servers from our secondary T1 were in there (we are fed by two T1s). I added the new DNS servers from the primary T1 along with them so now there are four. I also changed the TCP/IP settings to just have After restarting DNS, I get the following from nslookup on the server:

Default Server:  localhost

And the following from nslookup on my machine:
Default Server:

So THAT seems to be working correctly now.

However, a dcdiag still shows the following... which baffles me because the record in _msdcs does not exist:

Doing initial required tests

   Testing server: Default-First-Site-Name\myserver
      Starting test: Connectivity
         The host could not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc Although the Guid DNS name
          couldn't be resolved, the server name
         ( resolved to the IP address
         ( and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... myserver failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\myserver
      Skipping all tests, because server myserver is
      not responding to directory service requests
See my comment above, but also take a look at the Scope Options from DHCP. They don't seem correct to me either. Should I remove .4 from both DNS and WINS entries and change .3 to be The domain name and Router are correct.
no the can only be used on the dns server iteself, but not via dhcp for the clients!
The only you should do is to remove the old dns and wins server...
you can add this entry when you have a new one!

Is your dns active diretory integrated?
To check dns console right click forward lookup zone...

see here:
Yes, it is active directory integrated.
ok please execute the netdiag /fix command
Several errors when running dcdiag/fix the first time... one of them fatal. See code snippet below.

However I ran it again and the fatal error did not show up again. A normal dcdiag shows all tests passing now.

Rsop.msc and gpresult.exe still return Access Denied :(

NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
DNS test . . . . . . . . . . . . . : Failed
    [FIX] re-register DC DNS entry '23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.' on DNS server '' succeed.
       [FATAL] File \config\netlogon.dns contains invalid DNS entries.    [FATAL
] No DNS servers have the DNS records for this DC registered.

Open in new window

you should run a netdiag /fix noch dcdiag :)
I'm sorry, that was a typo. I did run netdiag /fix and received the info I listed in the code snipped two posts up. Then ran it again as I indicated and did not receive the FATAL error the second time.

I THEN ran dcdiag and it passed all tests.

And THEN tried to run gpresult.exe and rsop.msc again. Both returned Access Denied.
could you please try

gpupdate /force


gpudpate /force /wait:0

on a client and test it again (maybe wait 90 minutes)!?
I actually did do a gpupdate /force on the server several times in the last two hours. But I just did the refresh on my client machine... but I doubt it will have any effect.

Going through Active Directory Users and Computers on my server I was able to create a new RSoP Object for my client machine and view it on the server without any problem. It's just when I try to run RSoP or dcdiag.exe for the server itself that I get Access Denied. I've even tried dcdiag /s myserver from my client machine and still get Access Denied.
do you use the enterprise domain admin account
I am logged in as the domain administrator on the server and my own id on my client machine. Both are members of the enterprise administrator group.
can you check the sysvol folder and it's contents for missing permissons?
Now that's getting way over my head. C:\windows\sysvol\sysvol\ shows 12 folders.  See file below...

what exactly am I looking for?
this one with the gpt.ini
All 12 folders have gpt.ini inside of them.

I read something else about how to manually reset the group policy and it specifically mentioned folder {31B2F340-016D-11D2-945F-00C04FB984F9}, which is one of my options. I followed the instructions in that help file as well, which didn't make a difference.
Avatar of merowinger
Flag of Germany image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
YES! That worked:

>cd /d %windir%\system32
>regsvr32 /n /I userenv.dll
>cd wbem
>mofcomp scersop.mof
>gpupdate /force

Thank you!

I hate to say this, but this entire question was part of a larger problem that I asked about here:

Now that I can get into RSoP I can hopefully get to part 2 of the mysterious 1202 application event log errors.
Thank you very much for all your help. You have definitely been the most helpful out of anyone who has attempted to give advice on any questions I have asked. Thank you again!!
Hey just wanted to say that this fixed my problem also!  gpresult /v gave me access denied. Ran:

cd /d %windir%\system32
regsvr32 /n /I userenv.dll
cd wbem
mofcomp scersop.mof
gpupdate /force

All fixed, thanks alot for the help!
This worked for us with a Windows 2008 64-bit server:

cd c:\windows\system32
regsvr32 userenv.dll
cd wbem
mofcomp scersop.mof

We had to reboot to fix everything.
I know this is a REAL old thread, but came in handy for me today! Thanks for this post/solution (registering the userenv.dll file). What happened for me is I was having issues (still may be) with uesr config -based group policies applying for me (just me...seems to work for other users). running gpresult/rsop showed potential issue with wmi filtering (filter is applied to these particular problem gpo's), and even though running wmimgmt /verifyrepository returned as "consistent", I went ahead & rebuilt my wmi repository anyway to see if it would help (wmimgmt /resetrepository). Seemed fine until I went to run gpresult/rsop again. Either of those had the 'select user' part of the wizard greyed out, & I noticed an 'invalid namespace' error when attempting to open rsop. after a day and a half of research, found nothing that helped, including completely rebuilding the wmi (as shown here: kept going through articles via google search & finally stumbled on this. attempted the above cmds & voìla! It fixed my invalid namespace/greyed out user selection issue! So...THANKS! :)