alan2938
asked on
Access Denied when trying to open RSoP.msc or use gpresult.exe
I am trying to edit the restricted group access policies in AD but am getting Access Denied error. I also get access denied when I try to use gpresult.exe.
I went to Start -> Run -> rsop.msc
It says the RSoP snap-in was unable to generate the RSoP data due to the error listed below: Access Denied.
But I am logged in as the domain adminstrator!
I went to Start -> Run -> rsop.msc
It says the RSoP snap-in was unable to generate the RSoP data due to the error listed below: Access Denied.
But I am logged in as the domain adminstrator!
merowinger
is your domain admin local admin?
ASKER
The DOMAIN/Administrator account. I don't have the option of logging into the local machine.
is this your domain controller!
Have you configured some restrictions policies directly in the default domain or domain controller policy?
Maybe your policy is the problem why you get access denied
Have you configured some restrictions policies directly in the default domain or domain controller policy?
Maybe your policy is the problem why you get access denied
ASKER
Yes it is the DC. I haven't configured anything. I inherited this domain and all it's problems with a new job.
can you check all policies? Or do you get also access denied?
ASKER
I can check others. I think I am just going to create a new Group Policy to see if that helps. Nothing is really configured specifically for our domain as of yet.
I ran the WMI Diagnostic tool from Microsoft and it was throwing errors left and right. I've attached the log to this post in case you are curious.
WMIDIAG-V2.0-2003-.SRV.RTM.32-VE.LOG
I ran the WMI Diagnostic tool from Microsoft and it was throwing errors left and right. I've attached the log to this post in case you are curious.
WMIDIAG-V2.0-2003-.SRV.RTM.32-VE.LOG
i don't know the wmidiag tool...i think dcdiag would be more interesting!"
Why do you want to create a new policy?
The problem is 99% a wrong set policy value...check your existsing policy settings!
Download the Group Policy Management Console from Microsoft it provides more overview of all settings!
Why do you want to create a new policy?
The problem is 99% a wrong set policy value...check your existsing policy settings!
Download the Group Policy Management Console from Microsoft it provides more overview of all settings!
ASKER
I have already obtained that Hotfix. It is for WinXP only so I can't install it on my 2K3 server. When I try to install it on my XP client machine it tells me that it cannot be installed because my version of the OS is already newer than what I am trying to install, and that I need to install it on a system with no service packs.
ASKER
And here are the results from dcdiag.exe:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SERVER1
Starting test: Connectivity
The host 23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.MYDOMAIN.DOMAIN.COM could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.MYDOMAIN.DOMAIN.COM)
couldn't be resolved, the server name
(SERVER1.MYDOMAIN.DOMAIN.COM) resolved to the IP address
(192.168.211.3) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... SERVER1 failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SERVER1
Skipping all tests, because server SERVER1 is not responding to directory service requests
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : MYDOMAIN
Starting test: CrossRefValidation
......................... MYDOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... MYDOMAIN passed test CheckSDRefDom
Running enterprise tests on : MYDOMAIN.DOMAIN.COM
Starting test: Intersite
......................... MYDOMAIN.DOMAIN.COM passed test Intersite
Starting test: FsmoCheck
......................... MYDOMAIN.DOMAIN.COM passed test FsmoCheck
looks like a dns problem!
ASKER
Weeeell, I went through this morning after I demoted an old domain controller and removed all references to it from DNS so changes are I could have messed something up.
I ran DCdiag about a week ago and there were no problems. Just the RSoP issue.
I ran DCdiag about a week ago and there were no problems. Just the RSoP issue.
so make sure that all your domain controllers and dns server are configured correct!
Its very important to have configured a dns server for a dc .... can also be itself 127.0.0.1
Its very important to have configured a dns server for a dc .... can also be itself 127.0.0.1
ASKER
Heh, I know that a functional DNS is very important. DNS has been working perfectly before I removed the entries to my old DC, and seems to still be working exactly the same. I haven't received any complaints from my 40+ users when it comes to surfing the internet. However, this internal stuff goes a bit over my head so any suggestions are definitely appreciated.
we can only when you explain your network infrastrucuture a little bit....
dc's, dns servers, forwards, domains, forest...
dc's, dns servers, forwards, domains, forest...
ASKER
The network is very straight forward, or at least it SHOULD be. And just so you know, I inherited this network along with a new job so now I am in the clean up phases.
It HAD two domain controllers. This morning I demoted one because it was Win2000. I changed the domain and forest from Mixed mode to Windows 2003. The single domain controller now is handling all DNS and DHCP queries. 50 workstations in the network, mixed PCs and MACs, 35 users.
I have a new server with a brand new install of Server 2003 that I want to bring into the domain as another domain controller to have the high availability failover for Active Directory, DNS, and DHCP.
So, like I said. SHOULD be simple. =)
It HAD two domain controllers. This morning I demoted one because it was Win2000. I changed the domain and forest from Mixed mode to Windows 2003. The single domain controller now is handling all DNS and DHCP queries. 50 workstations in the network, mixed PCs and MACs, 35 users.
I have a new server with a brand new install of Server 2003 that I want to bring into the domain as another domain controller to have the high availability failover for Active Directory, DNS, and DHCP.
So, like I said. SHOULD be simple. =)
ok first my suggestion is to not promote another domain controller befor all problems are solved :)
- So is the existing dns server configured on each computer (included itself with 127.0.0.1)?
- does the dns server has a forward and reverse lookup zone
- try start->run->nslookup on the server and post the result
- So is the existing dns server configured on each computer (included itself with 127.0.0.1)?
- does the dns server has a forward and reverse lookup zone
- try start->run->nslookup on the server and post the result
ASKER
I am not sure what you mean by "configured on each computer". Yes, every other machine in the domain is set to use the server as it's DNS server. The server itself is set to use the DNS servers of our ISP.
Yes, the server has forward and reverse lookup zones.
NSlookup from the server shows the following:
Default Server: X.MYISP.net
Address: 129.XXX.XXX.250
However, NSlookup from my workstation shows the following:
*** Can't find server name for address 192.XXX.XXX.3: Non-existent domain
*** Can't find server name for address 192.XXX.XXX.4: No response from server
*** Default servers are not available
Default Server: UnKnown
Address: 192.XXX.XXX.3
.3 is the server, which is now the only domain controller/DNS/DHCP machine on the network. .4 is the old domain controller that I removed this morning. I restarted the DNS service and it didn't help.
Yes, the server has forward and reverse lookup zones.
NSlookup from the server shows the following:
Default Server: X.MYISP.net
Address: 129.XXX.XXX.250
However, NSlookup from my workstation shows the following:
*** Can't find server name for address 192.XXX.XXX.3: Non-existent domain
*** Can't find server name for address 192.XXX.XXX.4: No response from server
*** Default servers are not available
Default Server: UnKnown
Address: 192.XXX.XXX.3
.3 is the server, which is now the only domain controller/DNS/DHCP machine on the network. .4 is the old domain controller that I removed this morning. I restarted the DNS service and it didn't help.
are there configured two dns serverson the clients?
How is your DNS Server ISP configuration (screenshots)
How is your DNS Server ISP configuration (screenshots)
ASKER
Yes, there are two DNS servers on the clients. .3 and .4 (3 is the now one and only domain controller and 4 was the machine I removed yesterday).
Not sure what you are asking for regarding the screen shots. You want shots from the actual DNS somewhere or just TCP/IP Properties? Here is TCP/IP, which is the only place we tell the machine to use the ISP's DNS servers.
dot3DNS.JPG
Not sure what you are asking for regarding the screen shots. You want shots from the actual DNS somewhere or just TCP/IP Properties? Here is TCP/IP, which is the only place we tell the machine to use the ISP's DNS servers.
dot3DNS.JPG
the isp dns server should be configured in your dns configuration!
Start->Run->dnsmgmt.msc->r
http://www.grape-info.com/doc/win2000srv/internet-gw/dns_forward/dns_forward02.gif
In your TCP/IP Settings of the server there should be configured the dns server itself (127.0.0.1) and the second dns server if it exists
Why this all?!?!
1. When a clients wants to resolve a name...it requests the dns server which is configured in its tcpip settings (first checks it local cache and hosts file)
2. If a dns server wants to resolve a name (independed if this is a own request or some of a client) it also checks first the local cache, then the host file and then checks its dns database (because the server's is has itself configured). If it does not find a name to resolve...it's 100% a name outside your domain...then the forwarders are important (e.g. internet dns)
Start->Run->dnsmgmt.msc->r
http://www.grape-info.com/doc/win2000srv/internet-gw/dns_forward/dns_forward02.gif
In your TCP/IP Settings of the server there should be configured the dns server itself (127.0.0.1) and the second dns server if it exists
Why this all?!?!
1. When a clients wants to resolve a name...it requests the dns server which is configured in its tcpip settings (first checks it local cache and hosts file)
2. If a dns server wants to resolve a name (independed if this is a own request or some of a client) it also checks first the local cache, then the host file and then checks its dns database (because the server's is has itself configured). If it does not find a name to resolve...it's 100% a name outside your domain...then the forwarders are important (e.g. internet dns)
ASKER
Thanks for the heads up. The DNS servers from our secondary T1 were in there (we are fed by two T1s). I added the new DNS servers from the primary T1 along with them so now there are four. I also changed the TCP/IP settings to just have 127.0.0.1. After restarting DNS, I get the following from nslookup on the server:
Default Server: localhost
Address: 127.0.0.1
>
And the following from nslookup on my machine:
Default Server: myserver.mydomain.com
Address: 192.xxx.xxx.3
>
So THAT seems to be working correctly now.
However, a dcdiag still shows the following... which baffles me because the record in _msdcs does not exist:
Doing initial required tests
Testing server: Default-First-Site-Name\my
Starting test: Connectivity
The host 23001039-8ba2-4ed1-9c91-e1
(23001039-8ba2-4ed1-9c91-e
couldn't be resolved, the server name
(myserver.mydomain.com) resolved to the IP address
(192.xxx.xxx.3) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... myserver failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\my
Skipping all tests, because server myserver is
not responding to directory service requests
Default Server: localhost
Address: 127.0.0.1
>
And the following from nslookup on my machine:
Default Server: myserver.mydomain.com
Address: 192.xxx.xxx.3
>
So THAT seems to be working correctly now.
However, a dcdiag still shows the following... which baffles me because the record in _msdcs does not exist:
Doing initial required tests
Testing server: Default-First-Site-Name\my
Starting test: Connectivity
The host 23001039-8ba2-4ed1-9c91-e1
(23001039-8ba2-4ed1-9c91-e
couldn't be resolved, the server name
(myserver.mydomain.com) resolved to the IP address
(192.xxx.xxx.3) and was pingable. Check that the IP address is
registered correctly with the DNS server.
......................... myserver failed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\my
Skipping all tests, because server myserver is
not responding to directory service requests
ASKER
See my comment above, but also take a look at the Scope Options from DHCP. They don't seem correct to me either. Should I remove .4 from both DNS and WINS entries and change .3 to be 127.0.0.1? The domain name and Router are correct.
dot3DHCPscope.JPG
dot3DHCPscope.JPG
no the 127.0.0.1 can only be used on the dns server iteself, but not via dhcp for the clients!
The only you should do is to remove the old dns and wins server...
you can add this entry when you have a new one!
Is your dns active diretory integrated?
To check this..in dns console right click forward lookup zone...
see here:
http://www.windowsecurity.com/img/upl/image0061181724774514.jpg
The only you should do is to remove the old dns and wins server...
you can add this entry when you have a new one!
Is your dns active diretory integrated?
To check this..in dns console right click forward lookup zone...
see here:
http://www.windowsecurity.com/img/upl/image0061181724774514.jpg
ASKER
Yes, it is active directory integrated.
ok please execute the netdiag /fix command
http://support.microsoft.com/kb/219289/en-us
http://support.microsoft.com/kb/219289/en-us
ASKER
Several errors when running dcdiag/fix the first time... one of them fatal. See code snippet below.
However I ran it again and the fatal error did not show up again. A normal dcdiag shows all tests passing now.
Rsop.msc and gpresult.exe still return Access Denied :(
However I ran it again and the fatal error did not show up again. A normal dcdiag shows all tests passing now.
Rsop.msc and gpresult.exe still return Access Denied :(
NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing.
NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.
DNS test . . . . . . . . . . . . . : Failed
[FIX] re-register DC DNS entry '23001039-8ba2-4ed1-9c91-e1fca239b4dd._msdcs.
mydomain.domain.com.' on DNS server '127.0.0.1' succeed.
[FATAL] File \config\netlogon.dns contains invalid DNS entries. [FATAL
] No DNS servers have the DNS records for this DC registered.
you should run a netdiag /fix noch dcdiag :)
ASKER
I'm sorry, that was a typo. I did run netdiag /fix and received the info I listed in the code snipped two posts up. Then ran it again as I indicated and did not receive the FATAL error the second time.
I THEN ran dcdiag and it passed all tests.
And THEN tried to run gpresult.exe and rsop.msc again. Both returned Access Denied.
I THEN ran dcdiag and it passed all tests.
And THEN tried to run gpresult.exe and rsop.msc again. Both returned Access Denied.
could you please try
gpupdate /force
and
gpudpate /force /wait:0
on a client and test it again (maybe wait 90 minutes)!?
gpupdate /force
and
gpudpate /force /wait:0
on a client and test it again (maybe wait 90 minutes)!?
ASKER
I actually did do a gpupdate /force on the server several times in the last two hours. But I just did the refresh on my client machine... but I doubt it will have any effect.
Going through Active Directory Users and Computers on my server I was able to create a new RSoP Object for my client machine and view it on the server without any problem. It's just when I try to run RSoP or dcdiag.exe for the server itself that I get Access Denied. I've even tried dcdiag /s myserver from my client machine and still get Access Denied.
Going through Active Directory Users and Computers on my server I was able to create a new RSoP Object for my client machine and view it on the server without any problem. It's just when I try to run RSoP or dcdiag.exe for the server itself that I get Access Denied. I've even tried dcdiag /s myserver from my client machine and still get Access Denied.
do you use the enterprise domain admin account
ASKER
I am logged in as the domain administrator on the server and my own id on my client machine. Both are members of the enterprise administrator group.
can you check the sysvol folder and it's contents for missing permissons?
ASKER
Now that's getting way over my head. C:\windows\sysvol\sysvol\ shows 12 folders. See file below...
what exactly am I looking for?
dot3sysvol.JPG
what exactly am I looking for?
dot3sysvol.JPG
this one with the gpt.ini
ASKER
All 12 folders have gpt.ini inside of them.
I read something else about how to manually reset the group policy and it specifically mentioned folder {31B2F340-016D-11D2-945F-0
I read something else about how to manually reset the group policy and it specifically mentioned folder {31B2F340-016D-11D2-945F-0
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
YES! That worked:
>cd /d %windir%\system32
>regsvr32 /n /I userenv.dll
>cd wbem
>mofcomp scersop.mof
>gpupdate /force
Thank you!
I hate to say this, but this entire question was part of a larger problem that I asked about here: https://www.experts-exchange.com/questions/23271012/Event-Log-Recurring-Error-Security-policies-were-propagated-with-warning-0x534-No-mapping-between-account-names-and-security-IDs-was-done.html
Now that I can get into RSoP I can hopefully get to part 2 of the mysterious 1202 application event log errors.
>cd /d %windir%\system32
>regsvr32 /n /I userenv.dll
>cd wbem
>mofcomp scersop.mof
>gpupdate /force
Thank you!
I hate to say this, but this entire question was part of a larger problem that I asked about here: https://www.experts-exchange.com/questions/23271012/Event-Log-Recurring-Error-Security-policies-were-propagated-with-warning-0x534-No-mapping-between-account-names-and-security-IDs-was-done.html
Now that I can get into RSoP I can hopefully get to part 2 of the mysterious 1202 application event log errors.
ASKER
Thank you very much for all your help. You have definitely been the most helpful out of anyone who has attempted to give advice on any questions I have asked. Thank you again!!
Hey just wanted to say that this fixed my problem also! gpresult /v gave me access denied. Ran:
cd /d %windir%\system32
regsvr32 /n /I userenv.dll
cd wbem
mofcomp scersop.mof
gpupdate /force
All fixed, thanks alot for the help!
cd /d %windir%\system32
regsvr32 /n /I userenv.dll
cd wbem
mofcomp scersop.mof
gpupdate /force
All fixed, thanks alot for the help!
This worked for us with a Windows 2008 64-bit server:
cd c:\windows\system32
regsvr32 userenv.dll
cd wbem
mofcomp scersop.mof
We had to reboot to fix everything.
cd c:\windows\system32
regsvr32 userenv.dll
cd wbem
mofcomp scersop.mof
We had to reboot to fix everything.
I know this is a REAL old thread, but came in handy for me today! Thanks for this post/solution (registering the userenv.dll file). What happened for me is I was having issues (still may be) with uesr config -based group policies applying for me (just me...seems to work for other users). running gpresult/rsop showed potential issue with wmi filtering (filter is applied to these particular problem gpo's), and even though running wmimgmt /verifyrepository returned as "consistent", I went ahead & rebuilt my wmi repository anyway to see if it would help (wmimgmt /resetrepository). Seemed fine until I went to run gpresult/rsop again. Either of those had the 'select user' part of the wizard greyed out, & I noticed an 'invalid namespace' error when attempting to open rsop. after a day and a half of research, found nothing that helped, including completely rebuilding the wmi (as shown here: http://blogs.technet.com/b/configmgrteam/archive/2009/05/08/wmi-troubleshooting-tips.aspx). kept going through articles via google search & finally stumbled on this. attempted the above cmds & voìla! It fixed my invalid namespace/greyed out user selection issue! So...THANKS! :)
@coolsport00
@coolsport00