[gptalk] Re: Group Policy Error
- From: "Warner, Scott" <swarner@xxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 11 Mar 2008 08:59:11 -0600
Thanks to all for the suggestions. I ended up calling Microsoft to
discover that the fdeploy.ini file had been written over and needed to
be restored. Also the replication between the DC's was hosed.
Scott
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson, Jamie R
Sent: Friday, March 07, 2008 1:17 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
What about the dcgpofix
<http://technet2.microsoft.com/windowsserver/en/library/48872034-1907-41
49-b6aa-9788d38209d21033.mspx?mfr=true> tool? This is obviously a last
resort, but as long as you can see the current settings and duplicate
them in another GPO, you should be able to use it to restore the Default
Domain policy back to its initial state.
Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com <http://www.integrisok.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Warner, Scott
Sent: Friday, March 07, 2008 12:17 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Darren-
The groups have full control access on the file.
Scott
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, March 07, 2008 12:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Scott-
Did you check the permissions on the fdeploy.ini file I mentioned
earlier? You should see, at the least, that Domain Admins, Ent. Admins
and GPCO have read-write on that file.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Warner, Scott
Sent: Friday, March 07, 2008 9:57 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Jerry,
I do not see any errors in the FRS log and we are not running McAffee.
I think I am at the point of contacting Microsoft. The log files
suggest that there has been an issue with GPOs since at least 2 months
before I got here and everything I have tried is not resolving the
issue. Thanks for your suggestions!
Scott
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Cruz, Jerome L
Sent: Friday, March 07, 2008 11:40 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Hmmm,
Check your FRS logs and see if you are getting an
ERROR_SHARING_VIOLATION on that file. Are you using McAfee as anti-virus
on your DC? If you are, it may indicate an interaction with a low level
driver on your DC.
We recently found out (using the GPOTool utility) that a GPO we had
changed wasn't replicating to all DCs. On two DCs (out of eight), one of
the content files wouldn't update in SYSVOL. We started the diagnosis
process and threw just about every common tool at it we could think of
to find out what was locking it open (e.g. PSFile, ProMon, ProcExp, Open
Session files, etc.). I even tried to copy a known good copy of the file
on top of it manually (NOTE THAT THIS IS NEVER RECOMMENDED). Got an
Access denied error. We opened a case with MS Premier Support and are
about to test a resolution. In our situation, it appears to involve a
low-level McAfee filter driver interaction (this issue was recently
documented by McAfee on their web-site). Because of the low-level
interaction, the lock-out doesn't show up in any common utility.
We are currently about to test the following:
Test and implement the NTFS "Install Override" option
http://support.microsoft.com/default.aspx/kb/816493/EN-US/
Also, based upon what we've been told from Microsoft, this change will
help with 'stuck' GPT.Ini file updates that many GPO Admins run into
(mostly in large companies and on the domain root GPOs where there are
'many' hits that keep these files locked out). Our DCs currently get
'hit' ~ 114,000 day for either direct or background GPO refreshes (and
that's per each domain-level root GPO which has its own GPT.Ini file).
FRS has trouble getting access to update the GPT.Ini files because of
this. The FRS option noted above changes the behavior of replication.
Instead of being denied access when a SYSVOL file is in "read" or
"write" state, the SYSVOL file would only be locked out when in a "read"
state.
What we're hoping is that this changed behavior of FRS will release the
lock on the content file (GptTmpl.Inf in our case) and then help prevent
them in the future. If it doesn't release the lock, we know that a
reboot of the DC will do so (but we'd rather NOT do that). Ultimately,
only an update to the more recent version of the anti-virus engine will
totally resolve our issue, but that new version is not expected for a
month or two. Sigh...
Jerry
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Warner, Scott
Sent: Friday, March 07, 2008 9:05 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Darren,
Group Policy Creator Owners have full control on that folder with no
deny permissions and I still get the same error when I try to apply the
policy change.
Scott
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, March 07, 2008 9:56 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Well, if you don't have any FRS replication issues with SYSVOL, then the
permissions should be the same on any DC, but I like to use the PDCe for
these types of things.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Warner, Scott
Sent: Friday, March 07, 2008 7:07 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Darren,
Thanks! I will try that. Do I need to do this on all of the DC's or
just the primary DC that the GP console resides on?
Scott
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, March 06, 2008 4:23 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
OK. Then the next step is to look at the actual files in the SYSVOL part
of the GPO. Specifically, under
\\<domain>\sysvol\<domain>\Policies\<GUID
<file:///\\%3cdomain%3e\sysvol\%3cdomain%3e\Policies\%3cGUID> of
GPO>\User\Documents & Settings
Check the permissions on that Folder and the files in that folder
(should be at least one called fdeploy.ini). Make sure that the groups
below have write perms on that folder and files and that there aren't
any Deny ACEs.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Warner, Scott
Sent: Thursday, March 06, 2008 2:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Yes - Domain Admins, Enterprise Admins and Group Policy Creator Owners
all have the correct permissions.
Regards,
Scott P. Warner
IT Administrator
HMX Tailored
101 N. Wacker Drive
Chicago, IL 60606
312-357-5683
swarner@xxxxxxxxxxxxxx
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Thursday, March 06, 2008 3:58 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Scott-
It sounds like someone modified the default permissions on that GPO.
Have you gone into GPMC and looked at the Delegation tab on that GPO to
see who has edit perms?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Warner, Scott
Sent: Thursday, March 06, 2008 1:53 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy Error
I just started a new gig and my predecessor had enabled folder
re-direction through the Default Domain Policy. We are currently having
issues with the re-direction and I was asked to axe it. The problem is
when I log in to the DC and open the Group Policy Management console and
try to edit the Folder Redirection Policy, I get the following error
message:
Error - Unable to save the redirection information to the configuration
file. The following error occurred: Access is denied.
My account is in Domain Admins and Enterprise Admins which are both in
Group Policy Creater Owners group in AD. Does anyone know what's going
on here and how I can fix this?
Regards,
Scott P. Warner
IT Administrator
swarner@xxxxxxxxxxxxxx
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message
is confidential and may be privileged. It is intended for the
addressee(s) only. Access to this E-mail by anyone else is unauthorized.
If you are not an addressee, any disclosure or copying of the contents
of this E-mail or any action taken (or not taken) in reliance on it is
unauthorized and may be unlawful. Unless otherwise indicated, it
contains information that is confidential, privileged or exempt from
disclosure under applicable law. If you have received it in error,
please notify the sender of the error and delete the message.
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message
is confidential and may be privileged. It is intended for the
addressee(s) only. Access to this E-mail by anyone else is unauthorized.
If you are not an addressee, any disclosure or copying of the contents
of this E-mail or any action taken (or not taken) in reliance on it is
unauthorized and may be unlawful. Unless otherwise indicated, it
contains information that is confidential, privileged or exempt from
disclosure under applicable law. If you have received it in error,
please notify the sender of the error and delete the message.
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message
is confidential and may be privileged. It is intended for the
addressee(s) only. Access to this E-mail by anyone else is unauthorized.
If you are not an addressee, any disclosure or copying of the contents
of this E-mail or any action taken (or not taken) in reliance on it is
unauthorized and may be unlawful. Unless otherwise indicated, it
contains information that is confidential, privileged or exempt from
disclosure under applicable law. If you have received it in error,
please notify the sender of the error and delete the message.
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message
is confidential and may be privileged. It is intended for the
addressee(s) only. Access to this E-mail by anyone else is unauthorized.
If you are not an addressee, any disclosure or copying of the contents
of this E-mail or any action taken (or not taken) in reliance on it is
unauthorized and may be unlawful. Unless otherwise indicated, it
contains information that is confidential, privileged or exempt from
disclosure under applicable law. If you have received it in error,
please notify the sender of the error and delete the message.
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message
is confidential and may be privileged. It is intended for the
addressee(s) only. Access to this E-mail by anyone else is unauthorized.
If you are not an addressee, any disclosure or copying of the contents
of this E-mail or any action taken (or not taken) in reliance on it is
unauthorized and may be unlawful. Unless otherwise indicated, it
contains information that is confidential, privileged or exempt from
disclosure under applicable law. If you have received it in error,
please notify the sender of the error and delete the message.
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message
is confidential and may be privileged. It is intended for the
addressee(s) only. Access to this E-mail by anyone else is unauthorized.
If you are not an addressee, any disclosure or copying of the contents
of this E-mail or any action taken (or not taken) in reliance on it is
unauthorized and may be unlawful. Unless otherwise indicated, it
contains information that is confidential, privileged or exempt from
disclosure under applicable law. If you have received it in error,
please notify the sender of the error and delete the message.
________________________________
This e-mail may contain identifiable health information that is subject
to protection under state and federal law. This information is intended
to be for the use of the individual named above. If you are not the
intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is prohibited and may be
punishable by law. If you have received this electronic transmission in
error, please notify us immediately by electronic mail (reply).
________________________________
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message is
confidential and may be privileged. It is intended for the addressee(s) only.
Access to this E-mail by anyone else is unauthorized. If you are not an
addressee, any disclosure or copying of the contents of this E-mail or any
action taken (or not taken) in reliance on it is unauthorized and may be
unlawful. Unless otherwise indicated, it contains information that is
confidential, privileged or exempt from disclosure under applicable law. If you
have received it in error, please notify the sender of the error and delete the
message.
Other related posts:
