Solved

Copying files with Group Policy Preferences fails - Event ID 4098

Posted on 2011-09-22
13
11,700 Views
Last Modified: 2012-05-12
I have set up a file copying Group Policy Preferences item to copy a file from a network share to the user's AppData folder.  So, we have...

target:           \\server\share\folder\MSO2057.acl
destination:   %APPDATA%\Microsoft\Office\MSO2057.acl

The file is not copied, and an Event ID 4098 (Source - Group Policy Files).  It gives a description of...

The user 'MSO2057.acl' preference item in the 'Gosodiadau Proffil {4763B80B-64AB-4D05-98DB-0454B5500FF6}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

The permissions are fine on both source and destination.

One thing to note is that AppData has been redirected to the user's home share.


I have tried changing the target location to a real one, i.e. a folder on the local C-drive, and it copies OK - I'm guessing it a variables issue.

Do you know how I get around this?


I've noticed this question...  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24470914.html

but I cannot change it to a Computer Policy because it puts things in the user's profile.

By the way, the client PCs here are Windows Server 2008 R2

Thanks.
0
Comment
Question by:meirionwyllt
  • 6
  • 5
  • 2
13 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581386
Same with c:\users\%USERNAME%\Desktop or %userprofile%\Desktop

Just curious if it is really a Variables issue, or if it doesn't like the Network destination.....

Could look at Process Monitor Boot logging to see where the denial is, once the log is compiled.....

How To Enable System Boot Time Logging using Process Monitor Tool
http://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581389
And once you reboot, it will ask to compile the logs, and once you see it completed, use the Search at the top and look for "denied".......
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581408
Userenv.log for Windows Vista/2008/Win7
http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx

Also might be of assistance.....
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 37

Expert Comment

by:Neil Russell
ID: 36581544
Can you try giving the EVERYONE group full control over \\server\share\folder

Dont forget that you need to set BOTH SHARE PERMISSIONS AND NTFS PERMISSIONS
0
 

Author Comment

by:meirionwyllt
ID: 36585700
johnb6767 - I've been trying your suggestion, and having the file copied to a local folder (but still using variables) works!  (i.e. copying to C:\TG\%username%\MSO2057.acl)

I've then tried copying the file from a location without variables, and it still doesn't work.  So I'm satisfied from these two things that my problem is unrelated to variables.

Neilsr - I checked the share permissions, and Everyone already had full control.  So, then on the NYFS permissions I've given Everyone Full Control.  And, unfortunately it still gives the same error.
0
 

Author Comment

by:meirionwyllt
ID: 36585858
As an aside to this question, I want to ensure that folder redirection actually occurs before the file copying when the user is logging in.  I've been reading about Group Policy Link Order and Precedence.  Could you please clarify something for me, here...

http://technet.microsoft.com/en-us/library/cc785665(WS.10).aspx

In the section 'Order of processing settings', the paragraphs Site, Domain and OU end in "The GPO with the lowest link order is processed last, and therefore has the highest precedence".  Now, this could be interpreted two very different ways.  When it says "lowest link order", does it mean the lowest number (i.e. 1 would be the lowest), or does it mean the lowest physically when you look at them on a screen (i.e. I have 5 GPOs in this OU, so in this case, 5 would be the lowest)

Could you please shed some light on this for me please.  So, if you want one particular GPO to run first (chronologically), do I need to give it a link order of 1 or 5?

Thanks.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36585870
Make your copy policy too of the list. Niner one
0
 

Author Comment

by:meirionwyllt
ID: 36586011
Right, I'm getting somewhere now.  I gave Everyone Full Control to the destination folder, rather than the target, and it worked.  I can't leave it like this, so I'll have to try to find the lowest level of rights possible to make it work.  I've reduced it to Everyone - Modify, and it still works.

Do you know which user do I need to give Modify permissions to make this work?  I thought SYSTEM, but htis already has Full Control on the folder.  The user whose home share it is, already has Modify persmissions.  Do you know which user does the Group Policy file copying use to do this?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36590093
SYSTEM doesnt have access to network resources. GPO is processed under Winlogon.exe, which is the SYSTEM account....

0
 

Author Comment

by:meirionwyllt
ID: 36890661
Sorry I was away for a few days...

I don't quite understand what you mean here.  If the Group Policy Preferences is ran under SYSTEM, which you say doesn't have access to the network, then how is GPP able to copy any files from the network to the local PC?

Do you have any ideas which account is it that I need to grant Modify access to the local destination folder?
0
 

Accepted Solution

by:
meirionwyllt earned 0 total points
ID: 36902650
I've found the answer to this elsewhere.  It told me to go into the properties of the file copying item itself, go to the Common tab, and tick the box for "Run in logged-on user's security context (user policy option)".  It works then.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36907738
Sorry for the delay, was on a hunting trip this weekend.... Im glad you found the answer....

Go ahead and accept http:#36902650 as the solution, so this can be stored in the PAQ database. It will accept your own solution, without awarding points....
0
 

Author Closing Comment

by:meirionwyllt
ID: 37013595
I found the answer myself from another website
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question