Re: Access denied message even with the Administrator user

Hi Brandy,

I don't have adsiedit.msc where can I get it?

--
Edhy Rijo
www.progytech.com
Bronx New York
ProMatrix MVP Life


""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:hf9Wqj0lFHA.944@xxxxxxxxxxxxxxxxxxxxxxxx
> Hello Edhy,
>
> Thank you for posting back!
>
> "Access Denied" is a permission issue. So we still need to check whether
> you have successfully configured the users and groups for the correct
> permissions. Please strictly follow the steps below:
>
> 1> Check the permissions settings in ADSI Edit. To do so, pleas see:
>
> a. On the server, go to Start -> Run, type adsiedit.msc, press OK.
>
> b. Expand to ADSI Edit\Domain
> [Yourdomain.local]\DC=XXX,DC=XXX\CN=System\CN=Policies.
>
> c. Right click CN=Polices, go to Properties and Security tab.
>
> d. Grant the Administrators and SYSTEM for Full Control, and make sure
> that
> you do not check any boxes of Deny. For the other users and groups, make
> sure that you did not check any Deny boxes.
>
> e. Click Advanced button, on the Permissions tab, make sure that
> Administrators and SYSTEM have full control.
>
> f. Uncheck the box "Allow inheritable permissions from the ¡­.", and it
> will prompt a security window, click Copy.
>
> g. Highlight Administrators, click Edit, and make sure the permission is
> applied to "This Object and all child objects". Click OK. Perform the same
> step to SYSTEM account.
>
> h. Test the issue again.
>
> 2> Just a double check, go to the "Policy" folder and its Subfolders, make
> sure that you have configured the Administrators to have the full control
> permissions. Also, in ADUC, make sure that you have configured the
> Administrators to have the full control permissions for Policy folder and
> its subfolders.
>
> 3> If the step above does not work, please send your permissions settings
> to the Newsgroup. To do so, please see:
>
> Open a command window on the server, type the following scripts and paste
> the full content of the output to the Newsgroup:
>
> 1. cacls filename > c:\test1.txt
>
> By default, the file is located at the following path, so I assume that
> your filename is located at this path as well:
> %systemroot%:\WINDOWS\SYSVOL\sysvol\Yourdomain.local\Policies\{05BA6B07-0E07
> -4649-AEA0-9737E4194070}\GTP.ini.
>
> [Note]: a. You need to replace the %systemroot% with your system drive,
> also replace Yourdomain.local with your domain name.
> b. Please check and make sure that your file is located at the correct
> path. Otherwise, you need to modify the path and then run the script.
>
> 2. dsacls
> CN={05BA6B07-0E07-4649-AEA0-9737E4194070},CN=Policies,CN=System,DC=XXX,DC=XX
> X > c:\test2.txt
>
> [Note]: DC=XXX,DC=XXX are same as in step 1> b. You need to put exact same
> "DC=XXX,DC=XXX" here.
>
> I am greatly appreciated your time and cooperation, and am looking forward
> to hearing from you!
>
> Best regards,
>
> Brandy Nee
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check
> the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In
> doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
> --------------------
>>From: "Edhy Rijo" <erijo@xxxxxxxxxxxxxxx>
>>References: <eS5nGwhjFHA.3164@xxxxxxxxxxxxxxxxxxxx>
> <qSQT8QpjFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
> <OPiwsawjFHA.320@xxxxxxxxxxxxxxxxxxxx>
> <xqJNZHRkFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> <uM1qDbVkFHA.3144@xxxxxxxxxxxxxxxxxxxx>
> <9T5lxFckFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
> <eU8YeUfkFHA.3300@xxxxxxxxxxxxxxxxxxxx>
> <1SAwJYqkFHA.588@xxxxxxxxxxxxxxxxxxxxx>
> <OgMl3zukFHA.4024@xxxxxxxxxxxxxxxxxxxx>
> <ib9SEA1kFHA.588@xxxxxxxxxxxxxxxxxxxxx>
> <e5t$PV6kFHA.1948@xxxxxxxxxxxxxxxxxxxx>
> <OhXL4Z6kFHA.3316@xxxxxxxxxxxxxxxxxxxx>
> <LiiUAwClFHA.2700@xxxxxxxxxxxxxxxxxxxxx>
> <OS2m8DElFHA.2904@xxxxxxxxxxxxxxxxxxxx>
> <uVbXHeolFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>>Subject: Re: Access denied message even with the Administrator user
>>Date: Mon, 1 Aug 2005 22:24:37 -0400
>>Lines: 209
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <#6crIlwlFHA.1044@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.sbs
>>NNTP-Posting-Host: ool-44c7cc04.dyn.optonline.net 68.199.204.4
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:140620
>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>
>>Hi Brandy,
>>
>>I tried your suggestions and the Everyone group had not permission for
> this
>>share folder, I set all to Full Control and still keep getting the Access
>>Denied message, I will reboot the server to see if that makes any
>>difference.
>>
>>--
>>Edhy Rijo
>>www.progytech.com
>>Bronx New York
>>ProMatrix MVP Life
>>
>>
>>""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>news:uVbXHeolFHA.3120@xxxxxxxxxxxxxxxxxxxxxxxx
>>> Hello Edhy,
>>>
>>> Thank you for posting back.
>>>
>>> From the Filemon file, I noticed the following error message:
>>>
>>> mmc.exe:5712 2291 2:36:55 PM OPEN ACCESS DENIED
>>>
> \\CT-SERVER1\SysVol\SunTrust-CT.Local\Policies\{05BA6B07-0E07-4649-AEA0-9737
>>> E4194070}\GPT.INI SUNTRUST-CT\Administrator
>>>
>>> So please check your sysvol folder's permission, To do so, please see:
>>>
>>> 1. On the server, go to %systomroot%\WINDOWS\SYSVOL.
>>>
>>> 2. Right click the shared folder sysvol. Select Properties.
>>>
>>> 3. Go to Sharing tab. Click Permissions.
>>>
>>> 4. The Share Permissions setting is:
>>>
>>> Administrators: Full Control.
>>> Authenticated Users: Full Control.
>>> Everyone: Full Control.
>>>
>>> 5. Reproduce this issue and see whether it works now.
>>>
>>> I am greatly appreciated your time and cooperation, and hope this
>>> information helps. If anything is unclear, please feel free to let me
>>> know.
>>> I am looking forward to hearing from you!
>>>
>>>
>>> Best regards,
>>>
>>> Brandy Nee
>>>
>>> Microsoft CSS Online Newsgroup Support
>>>
>>> Get Secure! - www.microsoft.com/security
>>> ======================================================
>>> This newsgroup only focuses on SBS technical issues. If you have issues
>>> regarding other Microsoft products, you'd better post in the
> corresponding
>>> newsgroups so that they can be resolved in an efficient and timely
> manner.
>>> You can locate the newsgroup here:
>>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>>
>>> When opening a new thread via the web interface, we recommend you check
>>> the
>>> "Notify me of replies" box to receive e-mail notifications when there
>>> are
>>> any updates in your thread. When responding to posts via your
>>> newsreader,
>>> please "Reply to Group" so that others may learn and benefit from your
>>> issue.
>>>
>>> Microsoft engineers can only focus on one issue per thread. Although we
>>> provide other information for your reference, we recommend you post
>>> different incidents in different threads to keep the thread clean. In
>>> doing
>>> so, it will ensure your issues are resolved in a timely manner.
>>>
>>> For urgent issues, you may want to contact Microsoft CSS directly.
>>> Please
>>> check http://support.microsoft.com for regional support phone numbers.
>>>
>>> Any input or comments in this thread are highly appreciated.
>>> ======================================================
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>>
>>> --------------------
>>>>From: "Edhy Rijo" <erijo@xxxxxxxxxxxxxxx>
>>>>References: <eS5nGwhjFHA.3164@xxxxxxxxxxxxxxxxxxxx>
>>> <qSQT8QpjFHA.3120@xxxxxxxxxxxxxxxxxxxxx>
>>> <OPiwsawjFHA.320@xxxxxxxxxxxxxxxxxxxx>
>>> <xqJNZHRkFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>>> <uM1qDbVkFHA.3144@xxxxxxxxxxxxxxxxxxxx>
>>> <9T5lxFckFHA.3472@xxxxxxxxxxxxxxxxxxxxx>
>>> <eU8YeUfkFHA.3300@xxxxxxxxxxxxxxxxxxxx>
>>> <1SAwJYqkFHA.588@xxxxxxxxxxxxxxxxxxxxx>
>>> <OgMl3zukFHA.4024@xxxxxxxxxxxxxxxxxxxx>
>>> <ib9SEA1kFHA.588@xxxxxxxxxxxxxxxxxxxxx>
>>> <e5t$PV6kFHA.1948@xxxxxxxxxxxxxxxxxxxx>
>>> <OhXL4Z6kFHA.3316@xxxxxxxxxxxxxxxxxxxx>
>>> <LiiUAwClFHA.2700@xxxxxxxxxxxxxxxxxxxxx>
>>>>Subject: Re: Access denied message even with the Administrator user
>>>>Date: Fri, 29 Jul 2005 09:25:23 -0400
>>>>Lines: 83
>>>>X-Priority: 3
>>>>X-MSMail-Priority: Normal
>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>>>X-RFC2646: Format=Flowed; Original
>>>>Message-ID: <OS2m8DElFHA.2904@xxxxxxxxxxxxxxxxxxxx>
>>>>Newsgroups: microsoft.public.windows.server.sbs
>>>>NNTP-Posting-Host: ool-44c7cc04.dyn.optonline.net 68.199.204.4
>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
>>>>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:139853
>>>>X-Tomcat-NG: microsoft.public.windows.server.sbs
>>>>
>>>>Hi Brandy,
>>>>
>>>>Please, download the log files from here:
>>>>
>>>>http://www.progytech.com/test/FileAndRegMonitorLogsForEdhyRijo.zip
>>>>
>>>>I reboot the server, verified the last steps below and still not been
> able
>>>>to add a GPO.
>>>>
>>>>Thanks!
>>>>
>>>>--
>>>>Edhy Rijo
>>>>www.progytech.com
>>>>Bronx NY
>>>>
>>>>
>>>>""Brandy Nee [MSFT]"" <v-branee@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>>>news:LiiUAwClFHA.2700@xxxxxxxxxxxxxxxxxxxxxxxx
>>>>> Hello Edhy,
>>>>>
>>>>> Thank you for posting back!
>>>>>
>>>>> This is my email address, please send your logs to here.
>>>>>
>>>>> Also, to be clearer of my suggestions, please see:
>>>>>
>>>>> 1. %systemroot%\WINDOWS\SYSVOL\sysvol\Yourdomain.local\Policy. Right
>>> click
>>>>> folder Policy, Security tab. Highlight ¡°CREATOR OWNER¡±, the default
>>>>> setting is ¡°Special Permissions¡±. You need to click Advanced, in the
>>>>> Permissions tab, highlight ¡°CREATOR OWNER¡±, click Edit button.
>>>>> Please
>>>>> check ¡°CREATOR OWNER¡± is apply onto Subfolders and files only.
>>>>> Permissions are Full Control.
>>>>>
>>>>> 2. Go back to the Permissions tab, uncheck the box ¡°Allow inheritable
>>>>> permissions from the ¡­.¡±
>>>>>
>>>>> 3. By the way, will this issue occur when you using Group Policy
>>>>> Management?
>>>>>
>>>>> I am greatly appreciated your time and cooperation, and am looking
>>> forward
>>>>> to hearing from you!
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Brandy Nee
>>>>>
>>>>> Microsoft CSS Online Newsgroup Support
>>>>>
>>>>> Get Secure! - www.microsoft.com/security
>>>>> ======================================================
>>>>> This newsgroup only focuses on SBS technical issues. If you have
>>>>> issues
>>>>> regarding other Microsoft products, you'd better post in the
>>> corresponding
>>>>> newsgroups so that they can be resolved in an efficient and timely
>>> manner.
>>>>> You can locate the newsgroup here:
>>>>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>>>>>
>>>>> When opening a new thread via the web interface, we recommend you
>>>>> check
>>>>> the
>>>>> "Notify me of replies" box to receive e-mail notifications when there
>>>>> are
>>>>> any updates in your thread. When responding to posts via your
>>>>> newsreader,
>>>>> please "Reply to Group" so that others may learn and benefit from your
>>>>> issue.
>>>>>
>>>>> Microsoft engineers can only focus on one issue per thread. Although
>>>>> we
>>>>> provide other information for your reference, we recommend you post
>>>>> different incidents in different threads to keep the thread clean. In
>>>>> doing
>>>>> so, it will ensure your issues are resolved in a timely manner.
>>>>>
>>>>> For urgent issues, you may want to contact Microsoft CSS directly.
>>>>> Please
>>>>> check http://support.microsoft.com for regional support phone numbers.
>>>>>
>>>>> Any input or comments in this thread are highly appreciated.
>>>>> ======================================================
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>


.