Solved

Copying files with Group Policy Preferences fails - Event ID 4098

Posted on 2011-09-22
13
11,413 Views
Last Modified: 2012-05-12
I have set up a file copying Group Policy Preferences item to copy a file from a network share to the user's AppData folder.  So, we have...

target:           \\server\share\folder\MSO2057.acl
destination:   %APPDATA%\Microsoft\Office\MSO2057.acl

The file is not copied, and an Event ID 4098 (Source - Group Policy Files).  It gives a description of...

The user 'MSO2057.acl' preference item in the 'Gosodiadau Proffil {4763B80B-64AB-4D05-98DB-0454B5500FF6}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

The permissions are fine on both source and destination.

One thing to note is that AppData has been redirected to the user's home share.


I have tried changing the target location to a real one, i.e. a folder on the local C-drive, and it copies OK - I'm guessing it a variables issue.

Do you know how I get around this?


I've noticed this question...  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24470914.html

but I cannot change it to a Computer Policy because it puts things in the user's profile.

By the way, the client PCs here are Windows Server 2008 R2

Thanks.
0
Comment
Question by:meirionwyllt
  • 6
  • 5
  • 2
13 Comments
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581386
Same with c:\users\%USERNAME%\Desktop or %userprofile%\Desktop

Just curious if it is really a Variables issue, or if it doesn't like the Network destination.....

Could look at Process Monitor Boot logging to see where the denial is, once the log is compiled.....

How To Enable System Boot Time Logging using Process Monitor Tool
http://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool

0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581389
And once you reboot, it will ask to compile the logs, and once you see it completed, use the Search at the top and look for "denied".......
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36581408
Userenv.log for Windows Vista/2008/Win7
http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx

Also might be of assistance.....
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 37

Expert Comment

by:Neil Russell
ID: 36581544
Can you try giving the EVERYONE group full control over \\server\share\folder

Dont forget that you need to set BOTH SHARE PERMISSIONS AND NTFS PERMISSIONS
0
 

Author Comment

by:meirionwyllt
ID: 36585700
johnb6767 - I've been trying your suggestion, and having the file copied to a local folder (but still using variables) works!  (i.e. copying to C:\TG\%username%\MSO2057.acl)

I've then tried copying the file from a location without variables, and it still doesn't work.  So I'm satisfied from these two things that my problem is unrelated to variables.

Neilsr - I checked the share permissions, and Everyone already had full control.  So, then on the NYFS permissions I've given Everyone Full Control.  And, unfortunately it still gives the same error.
0
 

Author Comment

by:meirionwyllt
ID: 36585858
As an aside to this question, I want to ensure that folder redirection actually occurs before the file copying when the user is logging in.  I've been reading about Group Policy Link Order and Precedence.  Could you please clarify something for me, here...

http://technet.microsoft.com/en-us/library/cc785665(WS.10).aspx

In the section 'Order of processing settings', the paragraphs Site, Domain and OU end in "The GPO with the lowest link order is processed last, and therefore has the highest precedence".  Now, this could be interpreted two very different ways.  When it says "lowest link order", does it mean the lowest number (i.e. 1 would be the lowest), or does it mean the lowest physically when you look at them on a screen (i.e. I have 5 GPOs in this OU, so in this case, 5 would be the lowest)

Could you please shed some light on this for me please.  So, if you want one particular GPO to run first (chronologically), do I need to give it a link order of 1 or 5?

Thanks.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36585870
Make your copy policy too of the list. Niner one
0
 

Author Comment

by:meirionwyllt
ID: 36586011
Right, I'm getting somewhere now.  I gave Everyone Full Control to the destination folder, rather than the target, and it worked.  I can't leave it like this, so I'll have to try to find the lowest level of rights possible to make it work.  I've reduced it to Everyone - Modify, and it still works.

Do you know which user do I need to give Modify permissions to make this work?  I thought SYSTEM, but htis already has Full Control on the folder.  The user whose home share it is, already has Modify persmissions.  Do you know which user does the Group Policy file copying use to do this?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36590093
SYSTEM doesnt have access to network resources. GPO is processed under Winlogon.exe, which is the SYSTEM account....

0
 

Author Comment

by:meirionwyllt
ID: 36890661
Sorry I was away for a few days...

I don't quite understand what you mean here.  If the Group Policy Preferences is ran under SYSTEM, which you say doesn't have access to the network, then how is GPP able to copy any files from the network to the local PC?

Do you have any ideas which account is it that I need to grant Modify access to the local destination folder?
0
 

Accepted Solution

by:
meirionwyllt earned 0 total points
ID: 36902650
I've found the answer to this elsewhere.  It told me to go into the properties of the file copying item itself, go to the Common tab, and tick the box for "Run in logged-on user's security context (user policy option)".  It works then.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 36907738
Sorry for the delay, was on a hunting trip this weekend.... Im glad you found the answer....

Go ahead and accept http:#36902650 as the solution, so this can be stored in the PAQ database. It will accept your own solution, without awarding points....
0
 

Author Closing Comment

by:meirionwyllt
ID: 37013595
I found the answer myself from another website
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
While working, an annoying popup showing below will come and we cannot cancel or close it form the screen. The error message will come again and again.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question