Re: Group Policy access denided

From: Chad A Gross [SBS-MVP] in Seattle until 4/8 (chad.gross_at_laytonflower.nospam.com)
Date: 04/01/04 

Date: Thu, 1 Apr 2004 11:44:43 -0600

Hi John -

Check out Eventid.net:

      Source Userenv
      Type Error
      Description Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=<domain
name>,DC=com. The file must be present at the location
<\\manlytrash.com\sysvol\<domain
name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (<error
description>.). Group Policy processing aborted.
      Things to understand What is the Group Policy?
      Comments Ionut Marin (Last update 2/26/2004):
      From a newsgroup post: "My client's server was a dual-homed SBS2000
server. The external preferred DNS entry was set to the internal LAN IP.
Un-checking the "register this connection with DNS" setting in the external
interface did not work (probably because this was a domain controller). This
caused the external interface to get registered in DNS, which was being
passed down to the clients. To fix this problem I've set the external
interface to an external DNS server".

      From a newsgroup post: "I have begun to receive this error in the
event log every 5 minutes. This error message occurred on the only domain
controller in the domain. I verified that I could access the SYSVOL folder
containing the policies. Whenever I opened Active Directory users and
computers, right click on the domain name and click properties, and then
click on the group policy tab, an error popped up saying "no domain
controllers exist on the network". My mistake was that I had done several
password changes without authenticating. I rebuilt the DC and was very
careful with the password until I could build a new EA/SA/DomainAdmin
account. Since then, I've not had any problems". See Q260930 for information
related to this post.

      From a newsgroup post: " If your Windows XP computer is a domain
member, and the Distributed File System (DFS) client is turned off
(disabled), this behavior will occur, because the SYSVOL share requires the
DFS client to make a connection. To fix the problem, enable the DFS client:
      1.Use the Registry Editor to navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
      2.Edit or add Value Name DisableDFS, a REG-DWORD data type. A data
value of 0 means that the client is turned on. A data value of 1 disables
the client.
      3.Press OK and exit the Registry Editor.
      4.Verify that File and Printer Sharing for Microsoft Networks is
enabled on the interface:
              A.Start / Network Connections.
              B.Right-click the appropriate connection and press Properties.
              C.On the General tab, make sure that File and Printer Sharing
for Microsoft Networks is checked.
              D.Press OK".

      From a newsgroup post: "Here is what you should do to get rid of this
error and of Event ID 1058 on Windows Server 2003. Edit the hosts file on
each domain controller. Put in the IP address for your domain controller
(the local IP address should be first in the list), and then next to the IP
address do not put the host name, but put the name of the domain. Then list
the IP address for each domain controller in your domain, on the same hosts
file (with the domain name next to it). In other words, your hosts file
should look like this (if you have just two domain controllers):
      <IP 1> yourdomainname.com

      <IP 2> yourdomainname.com

      Where <IP 1> = the IP address of the local domain controller for this
hosts file.
      Where <IP 2> = the IP address of your other domain controller.

      yourdomainname.com = the name of your domain

      The list would be reversed (as far as IP address) on the hosts file on
the other domain controller. Yes, you need a hosts file on each domain
controller".

      See also Q250842 which has information about "troubleshooting group
policy application problems".

      As per Microsoft: "To work around this issue, you can run the
Dfsutil.exe file. At the command prompt, type "dfsutil /PurgeMupCache", and
then press ENTER". See Q830676 for more details.

      Michael Roper (Last update 12/3/2003):
      I started receiving this event along with event ID 1030 from source
Userenv, after adding additional IPs to the internal NIC on a dual-homed
2003 server. Even though they seemed to be registered properly, the errors
came every five minutes until I eliminated all but one IP for the internal
NIC.

      RShurer (Last update 11/24/2003):
      A restart of the DFS service on the Domain Controllers and on the
client has solved the problem.

      Scott Truman (Last update 10/1/2003):
      I had this problem on a multihomed 2003 server when I removed
''unwanted'' bindings and TCP/IP settings" (Client for Microsoft Networks,
File and Printer sharing, netbios, etc) and firewalled the external network
interface. Make sure your internal interface with all proper bindings needed
for resolution is the first in the network access order list "Network
Connections >Advanced>Advanced Settings>Adapters and Bindings".

      Adrian Grigorof (Last update 8/28/2003):
      As per Q810907 (applicable to Windows XP) this may occur in
conjunction with Event id 1030 and it is a confirmed (known) problem with
XP. A hotfix is available.

      This event is also reported in many instances of upgrades from Windows
NT or Windows 2000 to Windows 2003 Server.
      Some other recommendations in regards to this (from newsgroup posts)
is to verify that:
      - DFS service on all DCs is started and set to "Automatic"
      - there are no FRS issues - (if there are, toubleshoot those first)
      - TCP/IP Netbios Helper service is started and set to "Automatic"
      - the "Everyone" has the "bypass traverse checking" user right
      on the default domain controller policy
      - the antivirus (if installed) is not scanning the sysvol or
subfolders, if so, exclude it
      - consider that the error description in event id 1058 ("network path
not found" or "access denied") is caused by different problems and have
different solutions.

      Other posts from Microsoft engineer suggest that if a domain
controller is multi-homed (more than 1 network card) they may experience
this problem (note that "network card" could mean a physical or a virtual
one - i.e. VMWare or VPN virtual adapters). The posts also indicate that the
Client for Microsoft Networks and the File and Printer Sharing services have
to be bound to the network adapter.

      See also Q307900 on updating Windows 2000 Group Policy for Windows XP.

      Reported errors:
      Error "Access denied" - For a generic description of such error see
the link to error code 5.
      Error "The network path was not found." - See error code 53.

      Alexandr A. Bilyk (Last update 5/14/2003):
      This can take place if TCP/IP NetBIOS Helper Service is turned off or
set to manual startup.

      Alanden (Last update 5/14/2003):
      Where the NetBIOS and DFS fixes don't fix the problem, a patch is
available from Microsoft that does fix it. Call PSS - no charge. See Q810907
link below.

      Sean Wallbridge
      In the past, I was configuring Domain Controller's in a Windows 2000
domain to have the Distributed File System Services stopped and set to
manual until such time as they were needed. This was a recommendation based
on services that could be stopped according to Microsoft from some time ago
to bring machines to a "only what is required state". We disabled DFS
worldwide with Windows 2000, NT and Win98 clients with no issues incurred by
this.

      However, after a while I discovered I was having all sorts of Group
Policy application errors on my Windows XP workstation in my Windows 2000
domain.

      Looks like Windows XP speaks quite a bit differently to AD and
wants/needs more information (and expects it from DFS shares -
\\<domain>.<name>). In fact, from my XP machine, I tried connecting to my
domain share (\\<domain>.<name>) and I was told access was denied yet it was
available from Win2k machines (event ids 1030 and 1058). So, if you have
Windows XP clients or just plain aren't worried about someone cranking up
DFS and screwing something up somewhere, plan on leaving DFS enabled again.

      Also, while working through this I discovered that besides the already
cool "Resultant Set of Policy" MMC snap-in in Windows XP, there is also a
"GPUPDATE" command in Windows XP which, when used with the /force switch,
will blast computer policy settings to your Windows XP machine immediately.

      Joerg Hermanns
      I had this problem when I accidentally modified the permissions on the
SYSVOL share, so that the client computers were not able to read the group
policies and scripts that are stored there.

      Tom Holland
      As per Microsoft: "This behavior may occur if both of the following
conditions are true:
      Your Windows XP-based computer is a member of a domain.
      -and-
      The Microsoft Distributed File System (DFS) client is turned off
(disabled).
      NOTE: The \\Active Directory Domain Name\Sysvol share is a special
share that requires the DFS client to make a connection." See Q314494. 

-- 
Chad A. Gross  -  SBS MVP
SBS ROCKS!
"John Harris" <john@ns-sb.com> wrote in message
news:uPfZVhbFEHA.3096@TK2MSFTNGP11.phx.gbl...
> I have a 2003 SBS and in the event I get and error 1030 and 1058 access
> denied
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1058
> Date: 11/21/2003
> Time: 12:55:33 PM
> User: NT AUTHORITY\SYSTEM
> Computer: <ComputerName>
> Description: Windows cannot access the file gpt.ini for GPO
>
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=lcds,DC=l
> ab
> The file must be present at the location
> \\lcds.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
> (Access is denied) Group Policy processing aborted.
> I have run dfsutil /PurgeMupCache and it ran successfully
>
> I have run netdiag, with no errors.
>
> User can login. but don't get any shares.
>
> When I login as administrator and try to edit group pol I get access
denied.
>
> Everything was working fine Friday and no changes were made.
>
> Any ideas?
>
> John Harris
>
> john@ns-sb.com
>
>
>