• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13658
  • Last Modified:

Copying files with Group Policy Preferences fails - Event ID 4098

I have set up a file copying Group Policy Preferences item to copy a file from a network share to the user's AppData folder.  So, we have...

target:           \\server\share\folder\MSO2057.acl
destination:   %APPDATA%\Microsoft\Office\MSO2057.acl

The file is not copied, and an Event ID 4098 (Source - Group Policy Files).  It gives a description of...

The user 'MSO2057.acl' preference item in the 'Gosodiadau Proffil {4763B80B-64AB-4D05-98DB-0454B5500FF6}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.

The permissions are fine on both source and destination.

One thing to note is that AppData has been redirected to the user's home share.


I have tried changing the target location to a real one, i.e. a folder on the local C-drive, and it copies OK - I'm guessing it a variables issue.

Do you know how I get around this?


I've noticed this question...  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24470914.html

but I cannot change it to a Computer Policy because it puts things in the user's profile.

By the way, the client PCs here are Windows Server 2008 R2

Thanks.
0
meirionwyllt
Asked:
meirionwyllt
  • 6
  • 5
  • 2
1 Solution
 
johnb6767Commented:
Same with c:\users\%USERNAME%\Desktop or %userprofile%\Desktop

Just curious if it is really a Variables issue, or if it doesn't like the Network destination.....

Could look at Process Monitor Boot logging to see where the denial is, once the log is compiled.....

How To Enable System Boot Time Logging using Process Monitor Tool
http://www.msigeek.com/6231/how-to-enable-system-boot-time-logging-using-process-monitor-tool

0
 
johnb6767Commented:
And once you reboot, it will ask to compile the logs, and once you see it completed, use the Search at the top and look for "denied".......
0
 
johnb6767Commented:
Userenv.log for Windows Vista/2008/Win7
http://blogs.technet.com/b/mempson/archive/2010/01/10/userenvlog-for-windows-vista-2008-win7.aspx

Also might be of assistance.....
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Neil RussellTechnical Development LeadCommented:
Can you try giving the EVERYONE group full control over \\server\share\folder

Dont forget that you need to set BOTH SHARE PERMISSIONS AND NTFS PERMISSIONS
0
 
meirionwylltSenior Desktop EngineerAuthor Commented:
johnb6767 - I've been trying your suggestion, and having the file copied to a local folder (but still using variables) works!  (i.e. copying to C:\TG\%username%\MSO2057.acl)

I've then tried copying the file from a location without variables, and it still doesn't work.  So I'm satisfied from these two things that my problem is unrelated to variables.

Neilsr - I checked the share permissions, and Everyone already had full control.  So, then on the NYFS permissions I've given Everyone Full Control.  And, unfortunately it still gives the same error.
0
 
meirionwylltSenior Desktop EngineerAuthor Commented:
As an aside to this question, I want to ensure that folder redirection actually occurs before the file copying when the user is logging in.  I've been reading about Group Policy Link Order and Precedence.  Could you please clarify something for me, here...

http://technet.microsoft.com/en-us/library/cc785665(WS.10).aspx

In the section 'Order of processing settings', the paragraphs Site, Domain and OU end in "The GPO with the lowest link order is processed last, and therefore has the highest precedence".  Now, this could be interpreted two very different ways.  When it says "lowest link order", does it mean the lowest number (i.e. 1 would be the lowest), or does it mean the lowest physically when you look at them on a screen (i.e. I have 5 GPOs in this OU, so in this case, 5 would be the lowest)

Could you please shed some light on this for me please.  So, if you want one particular GPO to run first (chronologically), do I need to give it a link order of 1 or 5?

Thanks.
0
 
Neil RussellTechnical Development LeadCommented:
Make your copy policy too of the list. Niner one
0
 
meirionwylltSenior Desktop EngineerAuthor Commented:
Right, I'm getting somewhere now.  I gave Everyone Full Control to the destination folder, rather than the target, and it worked.  I can't leave it like this, so I'll have to try to find the lowest level of rights possible to make it work.  I've reduced it to Everyone - Modify, and it still works.

Do you know which user do I need to give Modify permissions to make this work?  I thought SYSTEM, but htis already has Full Control on the folder.  The user whose home share it is, already has Modify persmissions.  Do you know which user does the Group Policy file copying use to do this?
0
 
johnb6767Commented:
SYSTEM doesnt have access to network resources. GPO is processed under Winlogon.exe, which is the SYSTEM account....

0
 
meirionwylltSenior Desktop EngineerAuthor Commented:
Sorry I was away for a few days...

I don't quite understand what you mean here.  If the Group Policy Preferences is ran under SYSTEM, which you say doesn't have access to the network, then how is GPP able to copy any files from the network to the local PC?

Do you have any ideas which account is it that I need to grant Modify access to the local destination folder?
0
 
meirionwylltSenior Desktop EngineerAuthor Commented:
I've found the answer to this elsewhere.  It told me to go into the properties of the file copying item itself, go to the Common tab, and tick the box for "Run in logged-on user's security context (user policy option)".  It works then.
1
 
johnb6767Commented:
Sorry for the delay, was on a hunting trip this weekend.... Im glad you found the answer....

Go ahead and accept http:#36902650 as the solution, so this can be stored in the PAQ database. It will accept your own solution, without awarding points....
0
 
meirionwylltSenior Desktop EngineerAuthor Commented:
I found the answer myself from another website
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now