Re: Access denied message even with the Administrator user

Hello Edhy,

Thank you for posting back!

"Access Denied" is a permission issue. So we still need to check whether
you have successfully configured the users and groups for the correct
permissions. Please strictly follow the steps below:

1> Check the permissions settings in ADSI Edit. To do so, pleas see:

a. On the server, go to Start -> Run, type adsiedit.msc, press OK.

b. Expand to ADSI Edit\Domain
[Yourdomain.local]\DC=XXX,DC=XXX\CN=System\CN=Policies.

c. Right click CN=Polices, go to Properties and Security tab.

d. Grant the Administrators and SYSTEM for Full Control, and make sure that
you do not check any boxes of Deny. For the other users and groups, make
sure that you did not check any Deny boxes.

e. Click Advanced button, on the Permissions tab, make sure that
Administrators and SYSTEM have full control.

f. Uncheck the box "Allow inheritable permissions from the ¡­.", and it
will prompt a security window, click Copy.

g. Highlight Administrators, click Edit, and make sure the permission is
applied to "This Object and all child objects". Click OK. Perform the same
step to SYSTEM account.

h. Test the issue again.

2> Just a double check, go to the "Policy" folder and its Subfolders, make
sure that you have configured the Administrators to have the full control
permissions. Also, in ADUC, make sure that you have configured the
Administrators to have the full control permissions for Policy folder and
its subfolders.

3> If the step above does not work, please send your permissions settings
to the Newsgroup. To do so, please see:

Open a command window on the server, type the following scripts and paste
the full content of the output to the Newsgroup:

1. cacls filename > c:\test1.txt

By default, the file is located at the following path, so I assume that
your filename is located at this path as well:
%systemroot%:\WINDOWS\SYSVOL\sysvol\Yourdomain.local\Policies\{05BA6B07-0E07
-4649-AEA0-9737E4194070}\GTP.ini.

[Note]: a. You need to replace the %systemroot% with your system drive,
also replace Yourdomain.local with your domain name.
b. Please check and make sure that your file is located at the correct
path. Otherwise, you need to modify the path and then run the script.

2. dsacls
CN={05BA6B07-0E07-4649-AEA0-9737E4194070},CN=Policies,CN=System,DC=XXX,DC=XX
X > c:\test2.txt

[Note]: DC=XXX,DC=XXX are same as in step 1> b. You need to put exact same
"DC=XXX,DC=XXX" here.

I am greatly appreciated your time and cooperation, and am looking forward
to hearing from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
>From: "Edhy Rijo" <erijo@xxxxxxxxxxxxxxx>
>References: <eS5nGwhjFHA.3164@xxxxxxxxxxxxxxxxxxxx>
<qSQT8QpjFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
<OPiwsawjFHA.320@xxxxxxxxxxxxxxxxxxxx>
<xqJNZHRkFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
<uM1qDbVkFHA.3144@xxxxxxxxxxxxxxxxxxxx>
<9T5lxFckFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
<eU8YeUfkFHA.3300@xxxxxxxxxxxxxxxxxxxx>
<1SAwJYqkFHA.588@xxxxxxxxxxxxxxxxxxxxx>
<OgMl3zukFHA.4024@xxxxxxxxxxxxxxxxxxxx>
<ib9SEA1kFHA.588@xxxxxxxxxxxxxxxxxxxxx>
<e5t$PV6kFHA.1948@xxxxxxxxxxxxxxxxxxxx>
<OhXL4Z6kFHA.3316@xxxxxxxxxxxxxxxxxxxx>
<LiiUAwClFHA.2700@xxxxxxxxxxxxxxxxxxxxx>
<OS2m8DElFHA.2904@xxxxxxxxxxxxxxxxxxxx>
<uVbXHeolFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: Access denied message even with the Administrator user
>Date: Mon, 1 Aug 2005 22:24:37 -0400
>Lines: 209
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>X-RFC2646: Format=Flowed; Original
>Message-ID: <#6crIlwlFHA.1044@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: ool-44c7cc04.dyn.optonline.net 68.199.204.4
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:140620
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Hi Brandy,
>
>I tried your suggestions and the Everyone group had not permission for
this
>share folder, I set all to Full Control and still keep getting the Access
>Denied message, I will reboot the server to see if that makes any
>difference.
>
>--
>Edhy Rijo
>www.progytech.com
>Bronx New York
>ProMatrix MVP Life
>
>
>""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
>news:uVbXHeolFHA.3120@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hello Edhy,
>>
>> Thank you for posting back.
>>
>> From the Filemon file, I noticed the following error message:
>>
>> mmc.exe:5712 2291 2:36:55 PM OPEN ACCESS DENIED
>>
\\CT-SERVER1\SysVol\SunTrust-CT.Local\Policies\{05BA6B07-0E07-4649-AEA0-9737
>> E4194070}\GPT.INI SUNTRUST-CT\Administrator
>>
>> So please check your sysvol folder's permission, To do so, please see:
>>
>> 1. On the server, go to %systomroot%\WINDOWS\SYSVOL.
>>
>> 2. Right click the shared folder sysvol. Select Properties.
>>
>> 3. Go to Sharing tab. Click Permissions.
>>
>> 4. The Share Permissions setting is:
>>
>> Administrators: Full Control.
>> Authenticated Users: Full Control.
>> Everyone: Full Control.
>>
>> 5. Reproduce this issue and see whether it works now.
>>
>> I am greatly appreciated your time and cooperation, and hope this
>> information helps. If anything is unclear, please feel free to let me
>> know.
>> I am looking forward to hearing from you!
>>
>>
>> Best regards,
>>
>> Brandy Nee
>>
>> Microsoft CSS Online Newsgroup Support
>>
>> Get Secure! - www.microsoft.com/security
>> ======================================================
>> This newsgroup only focuses on SBS technical issues. If you have issues
>> regarding other Microsoft products, you'd better post in the
corresponding
>> newsgroups so that they can be resolved in an efficient and timely
manner.
>> You can locate the newsgroup here:
>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>
>> When opening a new thread via the web interface, we recommend you check
>> the
>> "Notify me of replies" box to receive e-mail notifications when there are
>> any updates in your thread. When responding to posts via your newsreader,
>> please "Reply to Group" so that others may learn and benefit from your
>> issue.
>>
>> Microsoft engineers can only focus on one issue per thread. Although we
>> provide other information for your reference, we recommend you post
>> different incidents in different threads to keep the thread clean. In
>> doing
>> so, it will ensure your issues are resolved in a timely manner.
>>
>> For urgent issues, you may want to contact Microsoft CSS directly. Please
>> check http://support.microsoft.com for regional support phone numbers.
>>
>> Any input or comments in this thread are highly appreciated.
>> ======================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>>
>> --------------------
>>>From: "Edhy Rijo" <erijo@xxxxxxxxxxxxxxx>
>>>References: <eS5nGwhjFHA.3164@xxxxxxxxxxxxxxxxxxxx>
>> <qSQT8QpjFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>> <OPiwsawjFHA.320@xxxxxxxxxxxxxxxxxxxx>
>> <xqJNZHRkFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>> <uM1qDbVkFHA.3144@xxxxxxxxxxxxxxxxxxxx>
>> <9T5lxFckFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>> <eU8YeUfkFHA.3300@xxxxxxxxxxxxxxxxxxxx>
>> <1SAwJYqkFHA.588@xxxxxxxxxxxxxxxxxxxxx>
>> <OgMl3zukFHA.4024@xxxxxxxxxxxxxxxxxxxx>
>> <ib9SEA1kFHA.588@xxxxxxxxxxxxxxxxxxxxx>
>> <e5t$PV6kFHA.1948@xxxxxxxxxxxxxxxxxxxx>
>> <OhXL4Z6kFHA.3316@xxxxxxxxxxxxxxxxxxxx>
>> <LiiUAwClFHA.2700@xxxxxxxxxxxxxxxxxxxxx>
>>>Subject: Re: Access denied message even with the Administrator user
>>>Date: Fri, 29 Jul 2005 09:25:23 -0400
>>>Lines: 83
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>>X-RFC2646: Format=Flowed; Original
>>>Message-ID: <OS2m8DElFHA.2904@xxxxxxxxxxxxxxxxxxxx>
>>>Newsgroups: microsoft.public.windows.server.sbs
>>>NNTP-Posting-Host: ool-44c7cc04.dyn.optonline.net 68.199.204.4
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:139853
>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>
>>>Hi Brandy,
>>>
>>>Please, download the log files from here:
>>>
>>>http://www.progytech.com/test/FileAndRegMonitorLogsForEdhyRijo.zip
>>>
>>>I reboot the server, verified the last steps below and still not been
able
>>>to add a GPO.
>>>
>>>Thanks!
>>>
>>>--
>>>Edhy Rijo
>>>www.progytech.com
>>>Bronx NY
>>>
>>>
>>>""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>>news:LiiUAwClFHA.2700@xxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hello Edhy,
>>>>
>>>> Thank you for posting back!
>>>>
>>>> This is my email address, please send your logs to here.
>>>>
>>>> Also, to be clearer of my suggestions, please see:
>>>>
>>>> 1. %systemroot%\WINDOWS\SYSVOL\sysvol\Yourdomain.local\Policy. Right
>> click
>>>> folder Policy, Security tab. Highlight ¡°CREATOR OWNER¡±, the default
>>>> setting is ¡°Special Permissions¡±. You need to click Advanced, in the
>>>> Permissions tab, highlight ¡°CREATOR OWNER¡±, click Edit button. Please
>>>> check ¡°CREATOR OWNER¡± is apply onto Subfolders and files only.
>>>> Permissions are Full Control.
>>>>
>>>> 2. Go back to the Permissions tab, uncheck the box ¡°Allow inheritable
>>>> permissions from the ¡­.¡±
>>>>
>>>> 3. By the way, will this issue occur when you using Group Policy
>>>> Management?
>>>>
>>>> I am greatly appreciated your time and cooperation, and am looking
>> forward
>>>> to hearing from you!
>>>>
>>>> Best regards,
>>>>
>>>> Brandy Nee
>>>>
>>>> Microsoft CSS Online Newsgroup Support
>>>>
>>>> Get Secure! - www.microsoft.com/security
>>>> ======================================================
>>>> This newsgroup only focuses on SBS technical issues. If you have issues
>>>> regarding other Microsoft products, you'd better post in the
>> corresponding
>>>> newsgroups so that they can be resolved in an efficient and timely
>> manner.
>>>> You can locate the newsgroup here:
>>>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>>>
>>>> When opening a new thread via the web interface, we recommend you check
>>>> the
>>>> "Notify me of replies" box to receive e-mail notifications when there
>>>> are
>>>> any updates in your thread. When responding to posts via your
>>>> newsreader,
>>>> please "Reply to Group" so that others may learn and benefit from your
>>>> issue.
>>>>
>>>> Microsoft engineers can only focus on one issue per thread. Although we
>>>> provide other information for your reference, we recommend you post
>>>> different incidents in different threads to keep the thread clean. In
>>>> doing
>>>> so, it will ensure your issues are resolved in a timely manner.
>>>>
>>>> For urgent issues, you may want to contact Microsoft CSS directly.
>>>> Please
>>>> check http://support.microsoft.com for regional support phone numbers.
>>>>
>>>> Any input or comments in this thread are highly appreciated.
>>>> ======================================================
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>
>
>
>

.

Loading