[gptalk] Re: Group Policy Error
- From: "Cruz, Jerome L" <jerome.l.cruz@xxxxxxxxxx>
- To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 7 Mar 2008 09:40:28 -0800
Hmmm,
Check your FRS logs and see if you are getting an ERROR_SHARING_VIOLATION on
that file. Are you using McAfee as anti-virus on your DC? If you are, it may
indicate an interaction with a low level driver on your DC.
We recently found out (using the GPOTool utility) that a GPO we had changed
wasn't replicating to all DCs. On two DCs (out of eight), one of the content
files wouldn't update in SYSVOL. We started the diagnosis process and threw
just about every common tool at it we could think of to find out what was
locking it open (e.g. PSFile, ProMon, ProcExp, Open Session files, etc.). I
even tried to copy a known good copy of the file on top of it manually (NOTE
THAT THIS IS NEVER RECOMMENDED). Got an Access denied error. We opened a case
with MS Premier Support and are about to test a resolution. In our situation,
it appears to involve a low-level McAfee filter driver interaction (this issue
was recently documented by McAfee on their web-site). Because of the low-level
interaction, the lock-out doesn't show up in any common utility.
We are currently about to test the following:
Test and implement the NTFS "Install Override" option
http://support.microsoft.com/default.aspx/kb/816493/EN-US/
Also, based upon what we've been told from Microsoft, this change will help
with 'stuck' GPT.Ini file updates that many GPO Admins run into (mostly in
large companies and on the domain root GPOs where there are 'many' hits that
keep these files locked out). Our DCs currently get 'hit' ~ 114,000 day for
either direct or background GPO refreshes (and that's per each domain-level
root GPO which has its own GPT.Ini file). FRS has trouble getting access to
update the GPT.Ini files because of this. The FRS option noted above changes
the behavior of replication. Instead of being denied access when a SYSVOL file
is in "read" or "write" state, the SYSVOL file would only be locked out when in
a "read" state.
What we're hoping is that this changed behavior of FRS will release the lock on
the content file (GptTmpl.Inf in our case) and then help prevent them in the
future. If it doesn't release the lock, we know that a reboot of the DC will do
so (but we'd rather NOT do that). Ultimately, only an update to the more recent
version of the anti-virus engine will totally resolve our issue, but that new
version is not expected for a month or two. Sigh...
Jerry
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Warner, Scott
Sent: Friday, March 07, 2008 9:05 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Darren,
Group Policy Creator Owners have full control on that folder with no deny
permissions and I still get the same error when I try to apply the policy
change.
Scott
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Friday, March 07, 2008 9:56 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Well, if you don't have any FRS replication issues with SYSVOL, then the
permissions should be the same on any DC, but I like to use the PDCe for these
types of things.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Warner, Scott
Sent: Friday, March 07, 2008 7:07 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Darren,
Thanks! I will try that. Do I need to do this on all of the DC's or just the
primary DC that the GP console resides on?
Scott
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, March 06, 2008 4:23 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
OK. Then the next step is to look at the actual files in the SYSVOL part of the
GPO. Specifically, under
\\<domain>\sysvol\<domain>\Policies\<GUID<file:///\\%3cdomain%3e\sysvol\%3cdomain%3e\Policies\%3cGUID>
of GPO>\User\Documents & Settings
Check the permissions on that Folder and the files in that folder (should be at
least one called fdeploy.ini). Make sure that the groups below have write perms
on that folder and files and that there aren't any Deny ACEs.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Warner, Scott
Sent: Thursday, March 06, 2008 2:03 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Yes - Domain Admins, Enterprise Admins and Group Policy Creator Owners all have
the correct permissions.
Regards,
Scott P. Warner
IT Administrator
HMX Tailored
101 N. Wacker Drive
Chicago, IL 60606
312-357-5683
swarner@xxxxxxxxxxxxxx
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, March 06, 2008 3:58 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy Error
Scott-
It sounds like someone modified the default permissions on that GPO. Have you
gone into GPMC and looked at the Delegation tab on that GPO to see who has edit
perms?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Warner, Scott
Sent: Thursday, March 06, 2008 1:53 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy Error
I just started a new gig and my predecessor had enabled folder re-direction
through the Default Domain Policy. We are currently having issues with the
re-direction and I was asked to axe it. The problem is when I log in to the DC
and open the Group Policy Management console and try to edit the Folder
Redirection Policy, I get the following error message:
Error - Unable to save the redirection information to the configuration file.
The following error occurred: Access is denied.
My account is in Domain Admins and Enterprise Admins which are both in Group
Policy Creater Owners group in AD. Does anyone know what's going on here and
how I can fix this?
Regards,
Scott P. Warner
IT Administrator
swarner@xxxxxxxxxxxxxx
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message is
confidential and may be privileged. It is intended for the addressee(s) only.
Access to this E-mail by anyone else is unauthorized. If you are not an
addressee, any disclosure or copying of the contents of this E-mail or any
action taken (or not taken) in reliance on it is unauthorized and may be
unlawful. Unless otherwise indicated, it contains information that is
confidential, privileged or exempt from disclosure under applicable law. If you
have received it in error, please notify the sender of the error and delete the
message.
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message is
confidential and may be privileged. It is intended for the addressee(s) only.
Access to this E-mail by anyone else is unauthorized. If you are not an
addressee, any disclosure or copying of the contents of this E-mail or any
action taken (or not taken) in reliance on it is unauthorized and may be
unlawful. Unless otherwise indicated, it contains information that is
confidential, privileged or exempt from disclosure under applicable law. If you
have received it in error, please notify the sender of the error and delete the
message.
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message is
confidential and may be privileged. It is intended for the addressee(s) only.
Access to this E-mail by anyone else is unauthorized. If you are not an
addressee, any disclosure or copying of the contents of this E-mail or any
action taken (or not taken) in reliance on it is unauthorized and may be
unlawful. Unless otherwise indicated, it contains information that is
confidential, privileged or exempt from disclosure under applicable law. If you
have received it in error, please notify the sender of the error and delete the
message.
CONFIDENTIALITY NOTICE: Unless expressly stated otherwise, this message is
confidential and may be privileged. It is intended for the addressee(s) only.
Access to this E-mail by anyone else is unauthorized. If you are not an
addressee, any disclosure or copying of the contents of this E-mail or any
action taken (or not taken) in reliance on it is unauthorized and may be
unlawful. Unless otherwise indicated, it contains information that is
confidential, privileged or exempt from disclosure under applicable law. If you
have received it in error, please notify the sender of the error and delete the
message.
Other related posts:
