Access Denied when trying to open RSoP.msc or use gpresult.exe

I am trying to edit the restricted group access policies in AD but am getting Access Denied error. I also get access denied when I try to use gpresult.exe.

I went to Start -> Run -> rsop.msc
It says the RSoP snap-in was unable to generate the RSoP data due to the error listed below: Access Denied.

But I am logged in as the domain adminstrator!
LVL 1
alan2938Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

merowingerCommented:
is your domain admin local admin?
alan2938Author Commented:
The DOMAIN/Administrator account. I don't have the option of logging into the local machine.
merowingerCommented:
is this your domain controller!
Have you configured some restrictions policies directly in the default domain or domain controller policy?

Maybe your policy is the problem why you get access denied
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

alan2938Author Commented:
Yes it is the DC. I haven't configured anything. I inherited this domain and all it's problems with a new job.
merowingerCommented:
can you check all policies? Or do you get also access denied?
alan2938Author Commented:
I can check others. I think I am just going to create a new Group Policy to see if that helps. Nothing is really configured specifically for our domain as of yet.

I ran the WMI Diagnostic tool from Microsoft and it was throwing errors left and right. I've attached the log to this post in case you are curious.
WMIDIAG-V2.0-2003-.SRV.RTM.32-VE.LOG
merowingerCommented:
i don't know the wmidiag tool...i think dcdiag would be more interesting!"
Why do you want to create a new policy?

The problem is 99% a wrong set policy value...check your existsing policy settings!

Download the Group Policy Management Console from Microsoft it provides more overview of all settings!
thenoneCommented:
There is a hotfix from Microsoft for this issue.

http://support.microsoft.com/kb/322852
alan2938Author Commented:
I have already obtained that Hotfix. It is for WinXP only so I can't install it on my 2K3 server. When I try to install it on my XP client machine it tells me that it cannot be installed because my version of the OS is already newer than what I am trying to install, and that I need to install it on a system with no service packs.
alan2938Author Commented:
And here are the results from dcdiag.exe:
Domain Controller Diagnosis
 
Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
 
   Testing server: Default-First-Site-Name\SERVER1
      Starting test: Connectivity
         The host 23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.MYDOMAIN.DOMAIN.COM could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.MYDOMAIN.DOMAIN.COM)
          couldn't be resolved, the server name
         (SERVER1.MYDOMAIN.DOMAIN.COM) resolved to the IP address
         (192.168.211.3) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... SERVER1 failed test Connectivity
 
Doing primary tests
 
   Testing server: Default-First-Site-Name\SERVER1
      Skipping all tests, because server SERVER1 is not responding to directory service requests
 
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
 
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
 
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
 
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
 
   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
 
   Running enterprise tests on : MYDOMAIN.DOMAIN.COM
      Starting test: Intersite
         ......................... MYDOMAIN.DOMAIN.COM passed test Intersite
      Starting test: FsmoCheck
         ......................... MYDOMAIN.DOMAIN.COM passed test FsmoCheck

Open in new window

merowingerCommented:
looks like a dns problem!
alan2938Author Commented:
Weeeell, I went through this morning after I demoted an old domain controller and removed all references to it from DNS so changes are I could have messed something up.

I ran DCdiag about a week ago and there were no problems. Just the RSoP issue.
merowingerCommented:
so make sure that all your domain controllers and dns server are configured correct!
Its very important to have configured a dns server for a dc .... can also be itself 127.0.0.1
alan2938Author Commented:
Heh, I know that a functional DNS is very important. DNS has been working perfectly before I removed the entries to my old DC, and seems to still be working exactly the same. I haven't received any complaints from my 40+ users when it comes to surfing the internet. However, this internal stuff goes a bit over my head so any suggestions are definitely appreciated.
merowingerCommented:
we can only when you explain your network infrastrucuture a little bit....
dc's, dns servers, forwards, domains, forest...
alan2938Author Commented:
The network is very straight forward, or at least it SHOULD be. And just so you know, I inherited this network along with a new job so now I am in the clean up phases.

It HAD two domain controllers. This morning I demoted one because it was Win2000. I changed the domain and forest from Mixed mode to Windows 2003. The single domain controller now is handling all DNS and DHCP queries. 50 workstations in the network, mixed PCs and MACs, 35 users.

I have a new server with a brand new install of Server 2003 that I want to bring into the domain as another domain controller to have the high availability failover for Active Directory, DNS, and DHCP.

So, like I said. SHOULD be simple. =)
merowingerCommented:
ok first my suggestion is to not promote another domain controller befor all problems are solved :)

- So is the existing dns server configured on each computer (included itself with 127.0.0.1)?
- does the dns server has a forward and reverse lookup zone
- try start->run->nslookup on the server and post the result
alan2938Author Commented:
I am not sure what you mean by "configured on each computer". Yes, every other machine in the domain is set to use the server as it's DNS server. The server itself is set to use the DNS servers of our ISP.

Yes, the server has forward and reverse lookup zones.

NSlookup from the server shows the following:
Default Server:  X.MYISP.net
Address:  129.XXX.XXX.250

However, NSlookup from my workstation shows the following:
*** Can't find server name for address 192.XXX.XXX.3: Non-existent domain
*** Can't find server name for address 192.XXX.XXX.4: No response from server
*** Default servers are not available
Default Server:  UnKnown
Address:  192.XXX.XXX.3

.3 is the server, which is now the only domain controller/DNS/DHCP machine on the network. .4 is the old domain controller that I removed this morning. I restarted the DNS service and it didn't help.
merowingerCommented:
are there configured two dns serverson the clients?
How is your DNS Server ISP configuration (screenshots)
alan2938Author Commented:
Yes, there are two DNS servers on the clients. .3 and .4 (3 is the now one and only domain controller and 4 was the machine I removed yesterday).

Not sure what you are asking for regarding the screen shots. You want shots from the actual DNS somewhere or just TCP/IP Properties? Here is TCP/IP, which is the only place we tell the machine to use the ISP's DNS servers.
dot3DNS.JPG
merowingerCommented:
the isp dns server should be configured in your dns configuration!

Start->Run->dnsmgmt.msc->rightclick servername->Properties->Forwarders
http://www.grape-info.com/doc/win2000srv/internet-gw/dns_forward/dns_forward02.gif

In your TCP/IP Settings of the server there should be configured the dns server itself (127.0.0.1) and the second dns server if it exists


Why this all?!?!
1. When a clients wants to resolve a name...it requests the dns server which is configured in its tcpip settings (first checks it local cache and hosts file)
2. If a dns server wants to resolve a name (independed if this is a own request or some of a client) it also checks first the local cache, then the host file and then checks its dns database (because the server's is has itself configured). If it does not find a name to resolve...it's 100% a name outside your domain...then the forwarders are important (e.g. internet dns)
alan2938Author Commented:
Thanks for the heads up. The DNS servers from our secondary T1 were in there (we are fed by two T1s). I added the new DNS servers from the primary T1 along with them so now there are four. I also changed the TCP/IP settings to just have 127.0.0.1. After restarting DNS, I get the following from nslookup on the server:

Default Server:  localhost
Address:  127.0.0.1
>

And the following from nslookup on my machine:
Default Server:  myserver.mydomain.com
Address:  192.xxx.xxx.3
>

So THAT seems to be working correctly now.

However, a dcdiag still shows the following... which baffles me because the record in _msdcs does not exist:

Doing initial required tests

   Testing server: Default-First-Site-Name\myserver
      Starting test: Connectivity
         The host 23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.mydomain.com could not be resolved to an IP address.  Check the DNS server, DHCP, server name, etc Although the Guid DNS name
         (23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.,mydomain.com)
          couldn't be resolved, the server name
         (myserver.mydomain.com) resolved to the IP address
         (192.xxx.xxx.3) and was pingable.  Check that the IP address is
         registered correctly with the DNS server.
         ......................... myserver failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\myserver
      Skipping all tests, because server myserver is
      not responding to directory service requests
alan2938Author Commented:
See my comment above, but also take a look at the Scope Options from DHCP. They don't seem correct to me either. Should I remove .4 from both DNS and WINS entries and change .3 to be 127.0.0.1? The domain name and Router are correct.
dot3DHCPscope.JPG
merowingerCommented:
no the 127.0.0.1 can only be used on the dns server iteself, but not via dhcp for the clients!
The only you should do is to remove the old dns and wins server...
you can add this entry when you have a new one!


Is your dns active diretory integrated?
To check this..in dns console right click forward lookup zone...

see here:
http://www.windowsecurity.com/img/upl/image0061181724774514.jpg
alan2938Author Commented:
Yes, it is active directory integrated.
merowingerCommented:
ok please execute the netdiag /fix command
http://support.microsoft.com/kb/219289/en-us
alan2938Author Commented:
Several errors when running dcdiag/fix the first time... one of them fatal. See code snippet below.

However I ran it again and the fatal error did not show up again. A normal dcdiag shows all tests passing now.

Rsop.msc and gpresult.exe still return Access Denied :(


NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
 
NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
 
DNS test . . . . . . . . . . . . . : Failed
    [FIX] re-register DC DNS entry '23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.
mydomain.domain.com.' on DNS server '127.0.0.1' succeed.
       [FATAL] File \config\netlogon.dns contains invalid DNS entries.    [FATAL
] No DNS servers have the DNS records for this DC registered.

Open in new window

merowingerCommented:
you should run a netdiag /fix noch dcdiag :)
alan2938Author Commented:
I'm sorry, that was a typo. I did run netdiag /fix and received the info I listed in the code snipped two posts up. Then ran it again as I indicated and did not receive the FATAL error the second time.

I THEN ran dcdiag and it passed all tests.

And THEN tried to run gpresult.exe and rsop.msc again. Both returned Access Denied.
merowingerCommented:
could you please try

gpupdate /force

and

gpudpate /force /wait:0

on a client and test it again (maybe wait 90 minutes)!?
alan2938Author Commented:
I actually did do a gpupdate /force on the server several times in the last two hours. But I just did the refresh on my client machine... but I doubt it will have any effect.

Going through Active Directory Users and Computers on my server I was able to create a new RSoP Object for my client machine and view it on the server without any problem. It's just when I try to run RSoP or dcdiag.exe for the server itself that I get Access Denied. I've even tried dcdiag /s myserver from my client machine and still get Access Denied.
merowingerCommented:
do you use the enterprise domain admin account
alan2938Author Commented:
I am logged in as the domain administrator on the server and my own id on my client machine. Both are members of the enterprise administrator group.
merowingerCommented:
can you check the sysvol folder and it's contents for missing permissons?
alan2938Author Commented:
Now that's getting way over my head. C:\windows\sysvol\sysvol\ shows 12 folders.  See file below...

what exactly am I looking for?
dot3sysvol.JPG
merowingerCommented:
this one with the gpt.ini
alan2938Author Commented:
All 12 folders have gpt.ini inside of them.

I read something else about how to manually reset the group policy and it specifically mentioned folder {31B2F340-016D-11D2-945F-00C04FB984F9}, which is one of my options. I followed the instructions in that help file as well, which didn't make a difference.
merowingerCommented:
ok it can have many reasons.... :)

what's logged in the eventvwr?

Also check out this!
http://www.itnewsgroups.net/group/microsoft.public.windows.server.general/topic14508.aspx

Is there blocked any application like gpresult.exe...in the group policy (Check out all polcies for settings which could cause the problem)?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alan2938Author Commented:
YES! That worked:

>cd /d %windir%\system32
>regsvr32 /n /I userenv.dll
>cd wbem
>mofcomp scersop.mof
>gpupdate /force

Thank you!

I hate to say this, but this entire question was part of a larger problem that I asked about here: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23271012.html

Now that I can get into RSoP I can hopefully get to part 2 of the mysterious 1202 application event log errors.
alan2938Author Commented:
Thank you very much for all your help. You have definitely been the most helpful out of anyone who has attempted to give advice on any questions I have asked. Thank you again!!
Unisys1Commented:
Hey just wanted to say that this fixed my problem also!  gpresult /v gave me access denied. Ran:

cd /d %windir%\system32
regsvr32 /n /I userenv.dll
cd wbem
mofcomp scersop.mof
gpupdate /force


All fixed, thanks alot for the help!
barrypierceCommented:
This worked for us with a Windows 2008 64-bit server:

cd c:\windows\system32
regsvr32 userenv.dll
cd wbem
mofcomp scersop.mof

We had to reboot to fix everything.
coolsport00Commented:
I know this is a REAL old thread, but came in handy for me today! Thanks for this post/solution (registering the userenv.dll file). What happened for me is I was having issues (still may be) with uesr config -based group policies applying for me (just me...seems to work for other users). running gpresult/rsop showed potential issue with wmi filtering (filter is applied to these particular problem gpo's), and even though running wmimgmt /verifyrepository returned as "consistent", I went ahead & rebuilt my wmi repository anyway to see if it would help (wmimgmt /resetrepository). Seemed fine until I went to run gpresult/rsop again. Either of those had the 'select user' part of the wizard greyed out, & I noticed an 'invalid namespace' error when attempting to open rsop. after a day and a half of research, found nothing that helped, including completely rebuilding the wmi (as shown here: http://blogs.technet.com/b/configmgrteam/archive/2009/05/08/wmi-troubleshooting-tips.aspx). kept going through articles via google search & finally stumbled on this. attempted the above cmds & voìla! It fixed my invalid namespace/greyed out user selection issue! So...THANKS! :)

@coolsport00
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.