Solved

GPO new policy error

Posted on 2011-03-13
9
743 Views
Last Modified: 2012-05-11
Server 2008 Standard new install, error on Group Policy editing. Access Denied when trying to save cahnges. No error shows up in Event Viewer. I can creat a new policy and link it to the OU then edit and save, open the Policy again and have no access to save any changes.Checked security settings for SYSVOL and Administrator has full control of folder. Any suggestions on what to check next.
0
Comment
Question by:1Dingodog
  • 5
  • 4
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35123898
Run dcdiag post results.

Any errors in the Event logs?
0
 

Author Comment

by:1Dingodog
ID: 35123926
No  errors in event logs
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35123998
How about dcdiag
0
 

Author Comment

by:1Dingodog
ID: 35124264

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = Server2008

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\SERVER2008

      Starting test: Connectivity

         ......................... SERVER2008 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\SERVER2008

      Starting test: Advertising

         ......................... SERVER2008 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SERVER2008 passed test FrsEvent

      Starting test: DFSREvent

         ......................... SERVER2008 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... SERVER2008 passed test SysVolCheck

      Starting test: KccEvent

         ......................... SERVER2008 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... SERVER2008 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... SERVER2008 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... SERVER2008 passed test NCSecDesc

      Starting test: NetLogons

         ......................... SERVER2008 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... SERVER2008 passed test ObjectsReplicated

      Starting test: Replications

         ......................... SERVER2008 passed test Replications

      Starting test: RidManager

         ......................... SERVER2008 passed test RidManager

      Starting test: Services

         ......................... SERVER2008 passed test Services

      Starting test: SystemLog

         An Warning Event occurred.  EventID: 0x80060005

            Time Generated: 03/13/2011   18:29:56

            Event String:

            The Virtual Storage Filter Driver is disabled through the registry. It is inactive for all disk drives.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x8000001D

            Time Generated: 03/13/2011   18:30:25

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         An Warning Event occurred.  EventID: 0x825A000C

            Time Generated: 03/13/2011   18:30:57

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

         An Error Event occurred.  EventID: 0x000004E6

            Time Generated: 03/13/2011   18:31:10

            Event String: Chassis intrusion detected


         An Error Event occurred.  EventID: 0xC0001B72

            Time Generated: 03/13/2011   18:31:51

            Event String:

            The following boot-start or system-start driver(s) failed to load:


         An Warning Event occurred.  EventID: 0x000727AA

            Time Generated: 03/13/2011   18:34:10

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/Server2008.Boc.local; WSMAN/Server2008.


         ......................... SERVER2008 failed test SystemLog

      Starting test: VerifyReferences

         ......................... SERVER2008 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : Boc

      Starting test: CheckSDRefDom

         ......................... Boc passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Boc passed test CrossRefValidation

   
   Running enterprise tests on : Boc.local

      Starting test: LocatorCheck

         ......................... Boc.local passed test LocatorCheck

      Starting test: Intersite

         ......................... Boc.local passed test Intersite


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = Server2008

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\SERVER2008

      Starting test: Connectivity

         ......................... SERVER2008 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\SERVER2008

      Starting test: Advertising

         ......................... SERVER2008 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SERVER2008 passed test FrsEvent

      Starting test: DFSREvent

         ......................... SERVER2008 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... SERVER2008 passed test SysVolCheck

      Starting test: KccEvent

         ......................... SERVER2008 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... SERVER2008 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... SERVER2008 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... SERVER2008 passed test NCSecDesc

      Starting test: NetLogons

         ......................... SERVER2008 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... SERVER2008 passed test ObjectsReplicated

      Starting test: Replications

         ......................... SERVER2008 passed test Replications

      Starting test: RidManager

         ......................... SERVER2008 passed test RidManager

      Starting test: Services

         ......................... SERVER2008 passed test Services

      Starting test: SystemLog

         An Warning Event occurred.  EventID: 0x80060005

            Time Generated: 03/13/2011   18:29:56

            Event String:

            The Virtual Storage Filter Driver is disabled through the registry. It is inactive for all disk drives.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x8000001D

            Time Generated: 03/13/2011   18:30:25

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         An Warning Event occurred.  EventID: 0x825A000C

            Time Generated: 03/13/2011   18:30:57

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

         An Error Event occurred.  EventID: 0x000004E6

            Time Generated: 03/13/2011   18:31:10

            Event String: Chassis intrusion detected


         An Error Event occurred.  EventID: 0xC0001B72

            Time Generated: 03/13/2011   18:31:51

            Event String:

            The following boot-start or system-start driver(s) failed to load:


         An Warning Event occurred.  EventID: 0x000727AA

            Time Generated: 03/13/2011   18:34:10

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/Server2008.Boc.local; WSMAN/Server2008.


         ......................... SERVER2008 failed test SystemLog

      Starting test: VerifyReferences

         ......................... SERVER2008 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : Boc

      Starting test: CheckSDRefDom

         ......................... Boc passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Boc passed test CrossRefValidation

   
   Running enterprise tests on : Boc.local

      Starting test: LocatorCheck

         ......................... Boc.local passed test LocatorCheck

      Starting test: Intersite

         ......................... Boc.local passed test Intersite


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = Server2008

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\SERVER2008

      Starting test: Connectivity

         ......................... SERVER2008 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\SERVER2008

      Starting test: Advertising

         ......................... SERVER2008 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SERVER2008 passed test FrsEvent

      Starting test: DFSREvent

         ......................... SERVER2008 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... SERVER2008 passed test SysVolCheck

      Starting test: KccEvent

         ......................... SERVER2008 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... SERVER2008 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... SERVER2008 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... SERVER2008 passed test NCSecDesc

      Starting test: NetLogons

         ......................... SERVER2008 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... SERVER2008 passed test ObjectsReplicated

      Starting test: Replications

         ......................... SERVER2008 passed test Replications

      Starting test: RidManager

         ......................... SERVER2008 passed test RidManager

      Starting test: Services

         ......................... SERVER2008 passed test Services

      Starting test: SystemLog

         An Warning Event occurred.  EventID: 0x80060005

            Time Generated: 03/13/2011   18:29:56

            Event String:

            The Virtual Storage Filter Driver is disabled through the registry. It is inactive for all disk drives.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x80040020

            Time Generated: 03/13/2011   18:30:12

            Event String:

            The driver detected that the device \Device\Harddisk0\DR0 has its write cache enabled. Data corruption may occur.

         An Warning Event occurred.  EventID: 0x8000001D

            Time Generated: 03/13/2011   18:30:25

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         An Warning Event occurred.  EventID: 0x825A000C

            Time Generated: 03/13/2011   18:30:57

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

         An Error Event occurred.  EventID: 0x000004E6

            Time Generated: 03/13/2011   18:31:10

            Event String: Chassis intrusion detected


         An Error Event occurred.  EventID: 0xC0001B72

            Time Generated: 03/13/2011   18:31:51

            Event String:

            The following boot-start or system-start driver(s) failed to load:


         An Warning Event occurred.  EventID: 0x000727AA

            Time Generated: 03/13/2011   18:34:10

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/Server2008.Boc.local; WSMAN/Server2008.


         ......................... SERVER2008 failed test SystemLog

      Starting test: VerifyReferences

         ......................... SERVER2008 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : Boc

      Starting test: CheckSDRefDom

         ......................... Boc passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Boc passed test CrossRefValidation

   
   Running enterprise tests on : Boc.local

      Starting test: LocatorCheck

         ......................... Boc.local passed test LocatorCheck

      Starting test: Intersite

         ......................... Boc.local passed test Intersite


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = Server2008

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\SERVER2008

      Starting test: Connectivity

         ......................... SERVER2008 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\SERVER2008

      Starting test: Advertising

         ......................... SERVER2008 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SERVER2008 passed test FrsEvent

      Starting test: DFSREvent

         ......................... SERVER2008 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... SERVER2008 passed test SysVolCheck

      Starting test: KccEvent

         ......................... SERVER2008 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... SERVER2008 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... SERVER2008 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... SERVER2008 passed test NCSecDesc

      Starting test: NetLogons

         ......................... SERVER2008 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... SERVER2008 passed test ObjectsReplicated

      Starting test: Replications

         ......................... SERVER2008 passed test Replications

      Starting test: RidManager

         ......................... SERVER2008 passed test RidManager

      Starting test: Services

         ......................... SERVER2008 passed test Services

      Starting test: SystemLog

         An Warning Event occurred.  EventID: 0x825A000C

            Time Generated: 03/13/2011   18:30:57

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

         An Error Event occurred.  EventID: 0x000004E6

            Time Generated: 03/13/2011   18:31:10

            Event String: Chassis intrusion detected


         An Error Event occurred.  EventID: 0xC0001B72

            Time Generated: 03/13/2011   18:31:51

            Event String:

            The following boot-start or system-start driver(s) failed to load:


         An Warning Event occurred.  EventID: 0x000727AA

            Time Generated: 03/13/2011   18:34:10

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/Server2008.Boc.local; WSMAN/Server2008.


         ......................... SERVER2008 failed test SystemLog

      Starting test: VerifyReferences

         ......................... SERVER2008 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : Boc

      Starting test: CheckSDRefDom

         ......................... Boc passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Boc passed test CrossRefValidation

   
   Running enterprise tests on : Boc.local

      Starting test: LocatorCheck

         ......................... Boc.local passed test LocatorCheck

      Starting test: Intersite

         ......................... Boc.local passed test Intersite

0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35124304
Disable your AV then try
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 35124310
0
 

Author Comment

by:1Dingodog
ID: 35124375
What pushed you to suspect the AV, but that seemed to be the issue. I was able to edit 2 policies and save them. I will accept this as solution and keep my fingers crossed.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 35124410
Common issue
0
 

Author Comment

by:1Dingodog
ID: 35124418
Thanks for the help.
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now