Mark Minasi's Reader Forum - gpresult "ERROR: Access Denied."

Mark Minasi's Reader Forum

Username:	Password:
Save Password
Forgot your Password?

All Forums

HALP! Questions on Windows and Windows Server

Group Policies

gpresult "ERROR: Access Denied."

New Topic

Reply to Topic

Printer Friendly

Author

Topic

Troy
Welcome Newcomer

USA
10 Posts
Status: offline

Posted - 12/18/2006 : 3:19:06 PM

I have a Windows Server 2003 SP1 that was upgraded from Windows 2000. Anytime I try to run gpresult or rsop.msc I get "ERROR: Access Denied" in return after it sits at "Getting the domain information..." then the OS information and RSOP line quickly flash by before the ERROR message appears.

I have tried running the commands as an administrator, specifically disabling the policy "Disallow Interactive Users from generating Resultant Set of Policies" in both the user and computer sections.
I also removed the computer from the domain and re-added it.

I found this kb article on a similar problem: http://support.microsoft.com/kb/322852
But it refers only to XP and the workarounds it suggests do not work.

Nothing has helped. I also get an Access Denied error if I run the Group Policy Results Wizard from a remote computer.

All new and current GPOs are applying as far as I can tell. I just can't view any of them using gpresults or rsop.msc.

DNS is correct and the Event Logs are uneventful :)

Any ideas?

wkasdo
Administrator

Netherlands
7424 Posts
Status: offline

Posted - 12/18/2006 : 3:49:48 PM

Is the WMI service running? RSoP depends on it.

Make it as simple as you can, but not simpler -- Albert Einstein

Troy
Welcome Newcomer

USA
10 Posts
Status: offline

Posted - 12/18/2006 : 4:11:28 PM

Yes, the Windows Management Instrumentation Service is running. I restarted it, but I get the same result.

dmarelia
Moderator

USA
2922 Posts
Status: offline

Posted - 12/18/2006 : 8:30:56 PM

There's an AD right called "Generate Resultant Set of Policy" Is it possible that someone delegated that permission away from the computer or user objects in AD that you're trying to get RSOP from?

Darren Mar-Elia
MS MVP--Group Policy
Group Policy Resource Site: http://www.gpoguy.com
Group Policy Blog: http://www.sdmsoftware.com/blog
Group Policy on Twitter:
http://www.twitter.com/grouppolicyguy
Like us on Facebook: http://www.facebook.com/SDMSoftware
***********
GPO Inventory & Comparison Simplified. Get SDM Software's GPO Reporting Pak -- http://sdmsoftware.com/group-policy-management-products/group-policy-reporting-pak/

Troy
Welcome Newcomer

USA
10 Posts
Status: offline

Posted - 12/19/2006 : 08:25:47 AM

The AD right "Generate Resultant Set of Policy" is at the OU level only, not the individual computer or user object correct? http://technet2.microsoft.com/WindowsServer/en/library/2044d125-cfb2-428c-aa8c-c4e5ac007ba41033.mspx?mfr=true

I did check the OU and domain admins have the ability to "Generate Resultant Set of Policy" at that OU. All other computers in that OU can run gpresult without a problem.

I was able to get gpresult to run on the problem server if I copy the gpresult.exe from a Windows 2000 server. However, if I copy gpresult.exe from a Windows 2003 server it still results in "ERROR: Access Denied"

Running Group Policy Results from GPMC on another server will work if I don't run the computer settings and select a local user instead of a domain user.

wkasdo
Administrator

Netherlands
7424 Posts
Status: offline

Posted - 12/19/2006 : 09:07:00 AM

> I was able to get gpresult to run on the problem server if I copy the gpresult.exe from a Windows 2000 server. However, if I copy gpresult.exe from a Windows 2003 server it still results in "ERROR: Access Denied"

Good one. So this is a software problem. I'd reinstall the server. Who knows what is broken by now.

Make it as simple as you can, but not simpler -- Albert Einstein

Troy
Welcome Newcomer

USA
10 Posts
Status: offline

Posted - 12/19/2006 : 09:42:13 AM

It is an older development server so it is not the end of the world that gpresult and rsop.msc fail. I guess I will just deal with it. I can't really think of anything else to try besides reinstalling a service pack or the whole OS.

Thanks to everybody who responded.

dmarelia
Moderator

USA
2922 Posts
Status: offline

Posted - 12/19/2006 : 11:37:00 AM

gpresult.exe from Win2K is an entirely different animal, so I'm not surprised it would work. But that's not a true test because it doesn't use RSOP to gather its data. I still think there is a permissions issue. Is that right you have on the OU set to apply to the OU and all child objects or just the OU level?

Edited by - dmarelia on 12/19/2006 11:37:21 AM

Troy
Welcome Newcomer

USA
10 Posts
Status: offline

Posted - 12/19/2006 : 1:52:10 PM

Here is what I have done for permissions on the OU that contains the server with the gpresult error:

Right-clicked the OU > Properties > Security tab
Clicked Add > %myusername%
Clicked Advanced.
Highlighted my username and clicked Edit.
Set Apply Onto to: This object and all child objects
Clicked Allow Full Control.
Clicked OK x 3.

I did the same thing with the computer object.

I then logged back on to the server and there was no change. Still "ERROR: Access Denied"

This is a recent OU that I created with default permissions so I don't think anything out of the ordinary is happening with it.

dmarelia
Moderator

USA
2922 Posts
Status: offline

Posted - 12/19/2006 : 2:55:46 PM

I think I know what this is. The key is that you upgraded to 2003, SP1. Check this article out and see if it helps:

http://support.microsoft.com/kb/892500/en-us

Troy
Welcome Newcomer

USA
10 Posts
Status: offline

Posted - 12/19/2006 : 5:12:58 PM

I set the registry keys listed in the link but I can't reboot or restart services right now. I ran rsop.msc and gpresult. I didn't see any new listings in the Event Log.

I went ahead and gave my user account all the permissions under "Access Permissions" and "Launch and Activation Permissions." It didn't help.

I will reboot tomorrow morning and see if there is any difference.

Thanks for your help!

Troy
Welcome Newcomer

USA
10 Posts
Status: offline

Posted - 12/20/2006 : 08:55:51 AM

I rebooted the server and did not see anything interesting in the Event Viewer. I gave myself all the permissions on the COM security tab anyway and it did not help.

Then I thought that it might be WMI corruption. I checked the wbemess.log and it had a few errors. One was 0x80041033. I looked at this web page http://forums.winforums.org/showthread.php?t=8677 and deleted the wbem repository and ran this script:
%SYSTEMDRIVE%
CD %windir%\system32\wbem
Mofcomp.exe cimwin32.mof
Regsvr32 /s wbemupgd.dll
Regsvr32 /s wbemsvc.dll
wmiprvse /regserver

Still the same error.

rajunair
Welcome Newcomer

1 Posts
Status: offline

Posted - 12/03/2008 : 07:49:44 AM

This solution tested & works at Windows 2003.

Go to Command Prompt --> Copy Paste the below lines

cd /d %windir%\system32
regsvr32 /n /I userenv.dll
cd wbem
mofcomp scersop.mof
gpupdate /force
gpresult
Thanks

Regards
Raju Nair

outsider73
Welcome Newcomer

1 Posts
Status: offline

Posted - 03/04/2009 : 2:26:23 PM

rajunair is totally right.
I had the same issue on a W2k3 SP2 R2 x64.
I followed his procedure and now it works.

Thanks

SoftCow
Welcome Newcomer

USA
1 Posts
Status: offline

Posted - 06/14/2012 : 7:11:52 PM

rajunair is absolutely right. Been trying to figure this out for too long! I also had an error registering userenv.dll but googled it and found http://social.technet.microsoft.com/Forums/en/winservergen/thread/707d8544-78f9-42c7-8895-51481f5ecaab where I rebuilt my wbem database. It's nice to be able to use GP again!

Topic

New Topic

Reply to Topic

Printer Friendly

Jump To:

Mark Minasi's Reader Forum

This page was generated in 0.19 seconds.

Snitz Forums 2000