RE: Error 1030/1058 in EventViewer + "Access is Denied" trying to edit GPO's

Hello Ryan,

Thank you for posting to the SBS Newsgroup.

I understand that you have error IDs 1030 and 1058 in the Event Viewer and
cannot edit the Group Policy. If I have misunderstood your concern, please
let me know.

"Access Denied" is a permission issue. So we still need to check whether
you have successfully configured the users and groups for the correct
permissions. Please strictly follow the steps below:

1> What is the account you used to log in the server to edit the Group
Policy, is it Administrator account?

2> Check the permissions settings in ADSI Edit. To do so, please see:

a. On the server, go to Start -> Run, type adsiedit.msc, press OK.

b. Expand to ADSI Edit\Domain
[Yourdomain.local]\DC=XXX,DC=XXX\CN=System\CN=Policies.

c. Right click CN=Polices, go to Properties and Security tab.

d. Grant the Administrators and SYSTEM for Full Control, and make sure that
you do not check any Deny boxes. For the other users and groups, make sure
that you did not check any Deny boxes.

e. Click Advanced button, on the Permissions tab, make sure that
Administrators and SYSTEM have full control.

f. Uncheck the box "Allow inheritable permissions from the ¡­.", and it
will prompt a security window, click Copy.

g. Highlight Administrators, click Edit, and make sure the permission is
applied to "This Object and all child objects". Click OK. Perform the same
step to SYSTEM account.

h. Test the issue again.

3> On the server, go to %systemroot%\WINDOWS\SYSVOL\sysvol. Right click
sysvol folder, select Properties, and go to Security tab. Please ensure
that the Administrators and SYSTEM accounts' have Full Control permissions.

Click Advanced, on the Permissions tab, highlight Administrators and SYSTEM
accounts individually, and click Edit, make sure these two accounts have
full control permissions.

[Note]: NO any deny box has being check.

If the issue persists, please help to gather the following information for
further research:

a) How did you edit GPO? I need to know the exact the place where the issue
happened. Does it happen when you browse to Server Management\Advanced
Management\Group Policy Management\Forest\Domains\Yourserver.local\Group
Policy objects? I strongly suggest you that capture a screen shot to the
Newsgroup for us to better understand your issue.

b) On the server, run "eventvwr" (without quotation marks), double click
each of the error events, click the Copy button and paste the full content
to the Newsgroup.

c) Please gather filemon log and send it to my mailbox for us to check
whether there is a file or registry problem. To do so, please see:

i. Download and run Filemon tools.

Filemon for Windows
http://www.sysinternals.com/ntw2k/source/filemon.shtml

[Note]: It will be better for analysis to capture the Filemon and Regmon
logs in Safe Mode with Network.

ii. Start Filemon.

iii. Reproduce the issue.

iv. Stop Filemon and save the log to a file named as Filemon.log.

v. Send it to my mailbox.

I am appreciated your time and cooperation. If anything is unclear, please
feel free to let me know. I am looking forward to hearing from you!


Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
>From: "Ryan" <mindflux98@xxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.sbs
>Subject: Error 1030/1058 in EventViewer + "Access is Denied" trying to
edit GPO's
>Date: 23 Aug 2005 14:55:20 -0700
>Organization: http://groups.google.com
>Lines: 13
>Message-ID: <1124834120.814978.103310@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
>NNTP-Posting-Host: 69.150.58.75
>Mime-Version: 1.0
>Content-Type: text/plain; charset="iso-8859-1"
>X-Trace: posting.google.com 1124834126 24489 127.0.0.1 (23 Aug 2005
21:55:26 GMT)
>X-Complaints-To: groups-abuse@xxxxxxxxxx
>NNTP-Posting-Date: Tue, 23 Aug 2005 21:55:26 +0000 (UTC)
>User-Agent: G2/0.2
>Complaints-To: groups-abuse@xxxxxxxxxx
>Injection-Info: g14g2000cwa.googlegroups.com; posting-host=69.150.58.75;
> posting-account=7S8eXQ0AAADgx3x7OsjgGdZLfwtguyM5
>Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
ne.de!news.glorb.com!postnews.google.com!g14g2000cwa.googlegroups.com!not-fo
r-mail
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:147133
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>This server is bone fresh, the only thing that's been done is a new
>share made to share out an access mdb file to the users.
>
>I've never EVER EVER modified a GPO or anything, and I cannot! Upon
>searching for some info on the Access Is Denied error I checked into
>the permissions on sysvol (which is shared).
>
>1030/1058 is a gpt.ini Access Denied error (in relation to my GPO
>editing problem).
>
>Can anyone give me any ideas why a FRESH install of 2k3 SBS is giving
>me GPO errors? One NIC only, so it's not binding order.
>
>

.