RSOP access is denied, gpo not apply

Thursday, January 24, 2013 4:48 PM

Am 24.01.2013 14:26, schrieb Sauske Sagara:

> /Then I realize that it works only for PC that was added in domain

> after I delete first DC./

Seems the second DC didn't replicate... Re-join your clients, that

should solve the problem.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

Friday, January 25, 2013 7:46 AM

Moderator

0

Hi ,

Thank you for posting your issue in the forum.

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.

Best Regards,

Andy Qi

TechNet Subscriber Support

If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Andy Qi
TechNet Community Support

Friday, January 25, 2013 9:25 AM

0

Am 24.01.2013 14:26, schrieb Sauske Sagara:

> /Then I realize that it works only for PC that was added in domain

> after I delete first DC./

Seems the second DC didn't replicate... Re-join your clients, that

should solve the problem.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

how ? as you think what I did wrong , and how I can fix it ? Well re-join clients it's not fun .... or it can be done remotely somehow ?

I added 2nd domain controller but nothing changes :(

UPD: I re-join one client and RSOP works now, but I want to know why that error happens and what I need to do to not make it in future

UPD 1: after RSOP return data, I reboot PC and after it RSOP stop working, same error Access is denied, so re-join pc to domain don't solve problem :(

Edited by Sauske Sagara Friday, January 25, 2013 11:34 AM
Edited by Sauske Sagara Friday, January 25, 2013 1:46 PM

Friday, January 25, 2013 1:01 PM

0

> how ? as you think what I did wrong , and how I can fix it ?

I don't know what went wrong since the former PDC is demoted...

> UPD: I re-join one client and RSOP works now, but I want to know why

> that error happens and what I need to do to not make it in future

Make sure your AD and Sysvol are fully in sync (replicate properly)

before decomissioning a DC. As said above: It is impossible to tell what

happened exactly, but maybe the Event log on the existing DC has some

traces in it.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

Friday, January 25, 2013 2:16 PM

0

> how ? as you think what I did wrong , and how I can fix it ?

I don't know what went wrong since the former PDC is demoted...

> UPD: I re-join one client and RSOP works now, but I want to know why

> that error happens and what I need to do to not make it in future

Make sure your AD and Sysvol are fully in sync (replicate properly)

before decomissioning a DC. As said above: It is impossible to tell what

happened exactly, but maybe the Event log on the existing DC has some

traces in it.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

well I transfer all FSMO roles to other server before demoting... Any suggestion Event's I need to look ?

Friday, January 25, 2013 2:33 PM

0

>

> well I transfer all FSMO roles to other server before demoting... Any

> suggestion Event's I need to look ?

Warnings or errors in the NTFRS/DFS and ADDS logs.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

Friday, January 25, 2013 4:39 PM

0

Hi,

Do you launch RSOP? Capture a screenshot and paste the Access is denied error here.

Please also try domain admin account.

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Monday, January 28, 2013 10:32 AM

0

>

> well I transfer all FSMO roles to other server before demoting... Any

> suggestion Event's I need to look ?

Warnings or errors in the NTFRS/DFS and ADDS logs.

NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

I check logs , but didn't find any *critical* errors, all errors/warnings that I find was before I transfer FSMO and demote server, right now in Directory Service log is no errors at all, in DFS Replication I got warnings

The DFS Replication service has detected that no connections are configured for replication group Domain System Volume. No data is being replicated for this replication group.

but it's because I add 2nd domain and think it will solve my problem, but no :(

I launch dcdiag /test:dns = no errors, dcdiag = Dcom was unable to communicate with IP ( it's my root dns servers ) so it failed SystemLog test but all others Is passed

Monday, January 28, 2013 10:33 AM

0

Hi,

Do you launch RSOP? Capture a screenshot and paste the Access is denied error here.

Please also try domain admin account.

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

yep, I try it with domain admin on server, even right click and run with admin privileges, but not work :(

Monday, January 28, 2013 11:17 AM

0

Can you check this? This should grant permissions to run RSOP. If it's working, we can go forward about your GPO issue.

Open Component Services.
In the console tree, click the Computers folder, right-click the computer for which you want to enable or disable DCOM, and then click Properties.
Click the Default Properties tab.
Enable DCOM: select the Enable Distributed COM on this computer check box.
Click OK
Reboot
Should work

Case select DCOM is enabled do this:

In the console tree, click the Computers folder, right-click the computer for which you want to enable or disable DCOM, and then click Properties.
Click the Default Properties tab.
Disable DCOM: select the DISABLE Distributed COM on this computer check box.
Click OK & Close all
Now again, Enable DCOM: select the Enable Distributed COM on this computer check box.
Reboot
MUST Work

If it is still not working - last option:

Click START > RUN > type DCOMFNFG >> OK
Expand the Component Service Node
Expand the Computers Node
Expand the DCOM Config Node
Right click Windows Management... and then click "PROPERTIES"
Check this settings:

For all listed users everything must be allowed.

If this is done - you need to check this in addition. RSOP is DCOM and WMI related. That's the reason why you need to check both:

1. Check whether the Remote Registry service is stopped.

Click Start -> Run, type "services.msc", and then press Enter.
Double-click Remote Registry.
On the General tab, click Start.
Select "Automatic" in the Startup type box.
Click OK.

2. Test WMI (Windows Management Instrumentation).

2.1. Testing Local WMI Service.

Click Start, click Run, type wmimgmt.msc, and then click OK.
Right-click WMI Control (Local), and then click Properties.
If the WMI service is configured correctly, the WMI Control will connect to WMI and display the Properties dialog box. On the General tab, you should see information about the operating system and the version of WMI.

2.2. Testing Remote WMI Service.

Click Start, click Run, type wmimgmt.msc, and then click OK.
Right-click WMI Control (Local), and then click Connect to another computer.
Click another computer, and then enter the name of the remote computer.
If you have to provide user credentials, click Change.

Click OK.

Right-click WMI Control (remote system name), and then click Properties.

If you cannot connect to WMI on a remote computer, the first thing to do is test the WMI service locally on both of the computers (local and remote).

Edited by Torsten Jahnke Monday, January 28, 2013 11:20 AM
Edited by Torsten Jahnke Monday, January 28, 2013 11:26 AM
Edited by Torsten Jahnke Monday, January 28, 2013 11:40 AM
Edited by Torsten Jahnke Monday, January 28, 2013 11:40 AM
Edited by Torsten Jahnke Monday, January 28, 2013 11:41 AM

Monday, January 28, 2013 12:24 PM

0

2Torsten Jahnke

Thx for such detailed answer!

I check DCOM on local server and remote PC , and it's all OK (all settings similar as on you pictures) but when I try add new pc to Component Services it show's with red arrow on PC and I cannot get information about PC because I get pop up with error

but I find solution how to fix it, but need to do it ^^ hope it helps

Then I check WMI and Remote Registry

On other PC Remote Registry was stopped, I start it and turn on for automatic, after it I check local WMI and it's working, then remote and here I got error

Monday, January 28, 2013 1:01 PM

0

Uhhh... That's not what I was expecting ;-)

It seems you have more trouble with WMI and DCOM. I guess I have a solution for this but I don't know if you want to hear - or read this.

Make a backup of your server
Make a backup again J
Export this registry file to your Backup location:

HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission

Now delete this key
Reboot

To delete this key will set the permissions back to default. Be aware – if you have any IIS related or DCOM related application running than this service might no longer work.

I don’t make any promises to you that this will work but it seems you need to “WMI and DCOM” from scratch

Monday, January 28, 2013 1:07 PM

0

Uhhh... That's not what I was expecting ;-)

It seems you have more trouble with WMI and DCOM. I guess I have a solution for this but I don't know if you want to hear - or read this.

Make a backup of your server
Make a backup again J
Export this registry file to your Backup location:

HKLM\SOFTWARE\Microsoft\Ole\DefaultAccessPermission

Now delete this key
Reboot

To delete this key will set the permissions back to default. Be aware – if you have any IIS related or DCOM related application running than this service might no longer work.
I don’t make any promises to you that this will work but it seems you need to “WMI and DCOM” from scratch

well I try it as last hope ^^ Main what I don't understand is that all works ok on PC that was ADDED to DOMAIN recently, so WMI and DCOM works but they don't work on older PC, well I try to remove pc from domain then delete pc object from domain and re-join it

Monday, January 28, 2013 1:16 PM

0

I don't know what you have done on older PC's but you can check and/or destroy one if you have time to make further investigations on this problem. But you see it's not just only RSOP :-)

Anyway, I forgot to add this to my previous posting:

If these Access Permissions settings have been modified make sure that at least INTERACTIVE, SYSTEM, and Administrators have been explicitly granted Access Permission.

Monday, January 28, 2013 1:22 PM

0

I don't know what you have done on older PC's but you can check and/or destroy one if you have time to make further investigations on this problem. But you see it's not just only RSOP :-)

Anyway, I forgot to add this to my previous posting:

If these Access Permissions settings have been modified make sure that at least INTERACTIVE, SYSTEM, and Administrators have been explicitly granted Access Permission.

almost all setting on default, don't touch any security settings at all, just turn on domain firewall ( but put all allow ) and add local administrators

just re-join pc to domain RSOP works, no error with access but strange thing I can't log in remotely to pc, says user account not authorize for remote login, but like 10 min ago all works and I don't touch any settings ><

UPD I reboot pc that I re-join to domain and error with access are back :(

Edited by Sauske Sagara Monday, January 28, 2013 1:28 PM

Monday, January 28, 2013 3:44 PM

0

Ok. You told me bevore it happens only on older computers.

I can remember to that bloody "I love you.vbs" Virus which was killing down a lot of computers. The first and interim solution was to lock down DCOM and WMI to minimize outbreak and extend security.

It seems that someone has assigned a policy or something else, which break down your DCOM and WMI settings.

Your settings are down. After doing something - don't know - everything is working. After 10 Minutes everything is locked again. From my point of view it seems you have somewhere a policy which will lock down all DCOM and WMI restriction ("...but like 10 min ago all works and I don't touch..." - "UPD I reboot pc that I re-join to domain"). It also seems that your machines are not patched to latest level because this might also have to do with this problem. Keep in mind that I'm blind and I can't see nothing.

The problem is now you are not able to use RSOP on the box. Now you can do it manualy or you need to search each policy one by one which GPO will lock down the computer. BUT - on the other hand it could also be that some funny guy has implementet this a a local policy to the computer and that would mean that you need to check every computer.

Ok, not every computer but one to confirm and check where the hell this restriction is set and when you have found it on one computer you know what to do with the rest of the PC's.

I know that this is not the thing you want to read but the problem is related only to DCOM and WMI which is locked by a policy within your network. Unfortunatly there is currently no way to help until you have solved this issue.

Monday, January 28, 2013 3:51 PM

0

Ok. You told me bevore it happens only on older computers.

I can remember to that bloody "I love you.vbs" Virus which was killing down a lot of computers. The first and interim solution was to lock down DCOM and WMI to minimize outbreak and extend security.

It seems that someone has assigned a policy or something else, which break down your DCOM and WMI settings.

Your settings are down. After doing something - don't know - everything is working. After 10 Minutes everything is locked again. From my point of view it seems you have somewhere a policy which will lock down all DCOM and WMI restriction ("...but like 10 min ago all works and I don't touch..." - "UPD I reboot pc that I re-join to domain"). It also seems that your machines are not patched to latest level because this might also have to do with this problem. Keep in mind that I'm blind and I can't see nothing.

The problem is now you are not able to use RSOP on the box. Now you can do it manualy or you need to search each policy one by one which GPO will lock down the computer. BUT - on the other hand it could also be that some funny guy has implementet this a a local policy to the computer and that would mean that you need to check every computer.

Ok, not every computer but one to confirm and check where the hell this restriction is set and when you have found it on one computer you know what to do with the rest of the PC's.

I know that this is not the thing you want to read but the problem is related only to DCOM and WMI which is locked by a policy within your network. Unfortunatly there is currently no way to help until you have solved this issue.

there no other admin at office, so no one other can do *joke*

there almost no policy added because I create new OU and new group policy ( delete all old stuff too and reset default domain policy using command like commands)

well thx for help, I will try to focus in DCOM and WMI settings, and try to repeat situation in virtual environment

Monday, January 28, 2013 4:26 PM

0

What's about the Firewall policy?

I don't know if you have this already implemented, but I always recomend - no desktop firewall within the domain. Check the GPO to disable the firewall within the domain.

If you unplug the machine or connect it to a different Internet location than the firewall is still active.

Wednesday, January 30, 2013 12:11 PM

0

What's about the Firewall policy?

I don't know if you have this already implemented, but I always recomend - no desktop firewall within the domain. Check the GPO to disable the firewall within the domain.

If you unplug the machine or connect it to a different Internet location than the firewall is still active.

domain firewall enabled by GPO but I configure it as Allow/Allow, with local admin right's I disable firewall on pc but it don't help

today I make new VM and after I join to domain I got same RSOP access error as on others pc :( but 3 days ago VM still working ..... And at new VM when I try locally see what GPO applied it says no RSOP data for this user :(

UPD: strange but firewall policy status is not configured .... and I 100% remember that I turn it on ...

UPD1 I find problem, I don't know why but by error or default Domain Admins group was not in Group Administrator on local pc, after I add it in local group Administrator all starts works !

Edited by Sauske Sagara Wednesday, January 30, 2013 12:15 PM
Edited by Sauske Sagara Wednesday, January 30, 2013 1:31 PM
Marked As Answer by Sauske Sagara Wednesday, January 30, 2013 2:12 PM

RSOP access is denied, gpo not apply

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?