none
XP users cannot access SYSVOL, Win7 users are fine

    Question

  • Hello,

    We have a domain running 2 2008 Server DCs, some Win7 clients, and some XP clients.  Servers were upgraded form 2003 to 2008 last year.  GPO was not processing correctly, so I did some testing.  Win7 clients are working okay and can browse the <a href="file://\\\sysvol">\\<domain>\sysvol\<domain_name> folder.  Windows XP clients are getting userenv errors 1030 and 1058.  When I try to browse to SYSVOL on any XP clients (regardless of domain user or domain admin membership), I get this error:

    \\<domain.ext>\SYSVOL\<domain.ext> is not accessible.  You might not have permission to use this network resource.  Contact the administrator of this server to find out if you have access permissions.

    The data present in the reparse point buffer is invalid.

    I checked permissions and authenticated users and domain users have read & execute\list\read.

    I checked my reparse points and found that on one server, they were still pointing to c:\WINNT instead of C:\WINDOWS.  I used dlink to change it to it would be the same as the other server.  This doesn't seem to have fixed the issue...

    Any suggestions would be GREATLY appreciated.  This is driving me batty.

    Thanks,

    Candi

     

    Thursday, March 15, 2012 7:41 PM

Answers

All replies

  • Hello Candi,

    how about the DNS configuration of these client?
    Do they have the DC as the prefered DNS?
     
    Please also configure SMB signing:

     http://support.microsoft.com/kb/839499/EN-US/


    MVP Group Policy - Mythen, Insiderinfos und Troubleshooting zum Thema GPOs: Let's go, use GPO!

    Thursday, March 15, 2012 8:48 PM
  • Hi,

     

    I would like to confirm that do other group policies work normally?

     

    This error code usually indicates that the user or computer does not have the appropriate permissions to access the path specified in the event.

     

    Based on the current situation, please perform the following steps to troubleshoot the issue:

     

    1.    Right click on the problematic gpt.ini file and click Permissions.

    2.    Switch to Security tab and click Edit.

    3.    Highlight Authenticated Users, remove all the boxes under Deny and check the following items under Allow.

    l  Read & execute

    l  Read

    4.    Click OK twice to test the issue.

     

    For more information, please refer to the following Microsoft TechNet article:

     

    Event ID 1058 — Group Policy Preprocessing (Networking)

    http://technet.microsoft.com/en-us/library/cc727259(WS.10).aspx

     

    If the issue persists, would you please run the following command and post the output in your reply:

     

    Cacls %systemroot%\SYSVOL\sysvol\DomainName\Policies\{GUID}\gpt.ini

     

    Note: Please replace DomainName and GUID with the real DomainName and GUID.

     

    If it still cannot work, please also follow the troubleshooting suggestions the following Microsoft KB article provides:

     

    Userenv errors occur and events are logged after you apply Group Policy to computers that are running Windows Server 2003, Windows XP, or Windows 2000

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;887303

     

    Regards,



    Arthur Li

    TechNet Community Support

    Monday, March 19, 2012 8:28 AM
  • The clients have their preferred DNS set to the DCs. 

    I don't think it's a permissions problem, because the issue happens on XP machines no matter who is logged in (admin or user), and it doesn't happen on win7.  The problem happens with ALL GPOs run on XP machines.

    Here are the command results for one of the GPOs:

    C:\Windows\system32>cacls c:\windows\sysvol\sysvol\domain.local\policies\{7028387B
    c:\windows\sysvol\sysvol\domain.local\policies\{7028387B-FBF7-4B0A-B4A6-DB001EE7A178}\GPT.INI

               domain\Domain Admins:(ID)F

                domain\Enterprise Admins:(ID)F

                NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(ID)R

                NT AUTHORITY\Authenticated Users:(ID)R

                NT AUTHORITY\SYSTEM:(ID)F

                BUILTIN\Administrators:(ID)F

    When I browse, I don't get "access denied."  I get the reparse point buffer error above.

    I'll be looking into the SMB signing today.

    Thanks,

    Candi

    Monday, March 19, 2012 5:26 PM
  • Hi,

    Please also refer to the following Microsoft KB article to change the Network security: Lan Manager authentication level and SMB signing.

    Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
    http://support.microsoft.com/kb/823659

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, March 23, 2012 6:12 AM
  • Everything seems to be set up properly.  Here's something interesting:  I came in this morning, and GPO had processed on my virtual XP machine.  I logged in as a test user and all drives mapped, etc.  I went to another XP machine and logged in as the same user - no GPO.  I looked at their SMB signing settings and they are exactly the same.  I have no idea why this started working for this particular virtual PC today.  The userenv errors were there from a few days ago.  As far as I can tell, nothing has changed on the network, besides maybe a few server updates and a reboot.

    What could cause such an intermittent error?  I don't know where to look.

    Any help would be greatly appreciated,

    Candi


    • Edited by VMRFadmin Monday, March 26, 2012 10:18 PM
    Monday, March 26, 2012 10:18 PM
  • I wonder if anyone has anything new to suggest?  I'm at the end of my rope!
    Thursday, April 12, 2012 8:58 PM