Solved

Copying files with Group Policy Preferences fails - Event ID 4098

Posted on 2011-09-22
13
11,052 Views
Last Modified: 2012-05-12
I have set up a file copying Group Policy Preferences item to copy a file from a network share to the user's AppData folder.  So, we have...

target:           \\server\share\folder\MSO2057.acl
destination:   %APPDATA%\Microsoft\Office\MSO2057.acl

The file is not copied, and an Event ID 4098 (Source - Group Policy Files).  It gives a description of...

The user 'MSO2057.acl' preference item in the 'Gosodiadau Proffil {4763B80B-64AB-4D05-98DB-0454B5500FF6}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

The permissions are fine on both source and destination.

One thing to note is that AppData has been redirected to the user's home share.


I have tried changing the target location to a real one, i.e. a folder on the local C-drive, and it copies OK - I'm guessing it a variables issue.

Do you know how I get around this?


I've noticed this question...  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24470914.html

but I cannot change it to a Computer Policy because it puts things in the user's profile.

By the way, the client PCs here are Windows Server 2008 R2

Thanks.
0
Comment
Question by:meirionwyllt
  • 6
  • 5
  • 2
13 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581386
Same with c:\users\%USERNAME%\Desktop or %userprofile%\Desktop

Just curious if it is really a Variables issue, or if it doesn't like the Network destination.....

Could look at Process Monitor Boot logging to see where the denial is, once the log is compiled.....

How To Enable System Boot Time Logging using Process Monitor Tool
http://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581389
And once you reboot, it will ask to compile the logs, and once you see it completed, use the Search at the top and look for "denied".......
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581408
Userenv.log for Windows Vista/2008/Win7
http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx

Also might be of assistance.....
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36581544
Can you try giving the EVERYONE group full control over \\server\share\folder

Dont forget that you need to set BOTH SHARE PERMISSIONS AND NTFS PERMISSIONS
0
 

Author Comment

by:meirionwyllt
ID: 36585700
johnb6767 - I've been trying your suggestion, and having the file copied to a local folder (but still using variables) works!  (i.e. copying to C:\TG\%username%\MSO2057.acl)

I've then tried copying the file from a location without variables, and it still doesn't work.  So I'm satisfied from these two things that my problem is unrelated to variables.

Neilsr - I checked the share permissions, and Everyone already had full control.  So, then on the NYFS permissions I've given Everyone Full Control.  And, unfortunately it still gives the same error.
0
 

Author Comment

by:meirionwyllt
ID: 36585858
As an aside to this question, I want to ensure that folder redirection actually occurs before the file copying when the user is logging in.  I've been reading about Group Policy Link Order and Precedence.  Could you please clarify something for me, here...

http://technet.microsoft.com/en-us/library/cc785665(WS.10).aspx

In the section 'Order of processing settings', the paragraphs Site, Domain and OU end in "The GPO with the lowest link order is processed last, and therefore has the highest precedence".  Now, this could be interpreted two very different ways.  When it says "lowest link order", does it mean the lowest number (i.e. 1 would be the lowest), or does it mean the lowest physically when you look at them on a screen (i.e. I have 5 GPOs in this OU, so in this case, 5 would be the lowest)

Could you please shed some light on this for me please.  So, if you want one particular GPO to run first (chronologically), do I need to give it a link order of 1 or 5?

Thanks.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 37

Expert Comment

by:Neil Russell
ID: 36585870
Make your copy policy too of the list. Niner one
0
 

Author Comment

by:meirionwyllt
ID: 36586011
Right, I'm getting somewhere now.  I gave Everyone Full Control to the destination folder, rather than the target, and it worked.  I can't leave it like this, so I'll have to try to find the lowest level of rights possible to make it work.  I've reduced it to Everyone - Modify, and it still works.

Do you know which user do I need to give Modify permissions to make this work?  I thought SYSTEM, but htis already has Full Control on the folder.  The user whose home share it is, already has Modify persmissions.  Do you know which user does the Group Policy file copying use to do this?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36590093
SYSTEM doesnt have access to network resources. GPO is processed under Winlogon.exe, which is the SYSTEM account....

0
 

Author Comment

by:meirionwyllt
ID: 36890661
Sorry I was away for a few days...

I don't quite understand what you mean here.  If the Group Policy Preferences is ran under SYSTEM, which you say doesn't have access to the network, then how is GPP able to copy any files from the network to the local PC?

Do you have any ideas which account is it that I need to grant Modify access to the local destination folder?
0
 

Accepted Solution

by:
meirionwyllt earned 0 total points
ID: 36902650
I've found the answer to this elsewhere.  It told me to go into the properties of the file copying item itself, go to the Common tab, and tick the box for "Run in logged-on user's security context (user policy option)".  It works then.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36907738
Sorry for the delay, was on a hunting trip this weekend.... Im glad you found the answer....

Go ahead and accept http:#36902650 as the solution, so this can be stored in the PAQ database. It will accept your own solution, without awarding points....
0
 

Author Closing Comment

by:meirionwyllt
ID: 37013595
I found the answer myself from another website
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Suggested Solutions

Article by: Lee
Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
A procedure for exporting installed hotfix details of remote computers using powershell
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now