none
Access denied for some clients when trying to access domain/SYSVOL

    Frage

  • I have been having ongoing issues with some of our Server 2012 GPOs not running on select clients.  On some Windows 7 and 10 clients <g class="gr_ gr_100 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="100" id="100">gpupdate</g> /force completes successfully and on those same clients I have no problem browsing the domain.local/SYSVOL directory.

    However, on other Windows clients, for no apparent reason, <g class="gr_ gr_365 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="365" id="365">gpupdate</g> /force does not complete successfully with Access Denied errors in the event log (see below) and I am also unable to browse the domain.local/SYSVOL directory on those clients.  I get a login prompt where I enter my admin credentials only to get Access Denied. 

    I have discovered the following errors in the event viewer for the Windows clients experiencing issues:

    System Log:

    Event ID: 1096

    Source: Group Policy

    The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=User,cn={AA17D8F7-361E-4DD5-A4A3-1E5B7B75F67E},cn=policies,cn=system,DC=dermoffice,DC=local. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

    Details:

    ErrorCode 5
    ErrorDescription Access is denied.
    DCName \\DERMSERVER.dermoffice.local
    GPOCNName LDAP://CN=User,cn={AA17D8F7-361E-4DD5-A4A3-1E5B7B75F67E},cn=policies,cn=system,DC=dermoffice,DC=local
    FilePath

    \\dermoffice.local\SysVol\dermoffice.local\Policies\{AA17D8F7-361E-4DD5-A4A3-1E5B7B75F67E}\User\registry.pol

    In the Application log I see this error pop up a few times (for 4 different policies):

    Event ID:  1001

    Source:  SceCli

    Security policy cannot be propagated. Cannot access the template. Error code = 3.
    \\dermoffice.local\sysvol\dermoffice.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    Details:

    Cannot access the template. Error code = 3. \\dermoffice.local\sysvol\dermoffice.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf.

    As well as this error ......

    Event ID: 8194

    Source: Group Policy Registry

    The client-side extension could not apply user policy settings for 'ScreenSaver Timeout {AA17D8F7-361E-4DD5-A4A3-1E5B7B75F67E}' because it failed with error code '0x80070005 Access is denied.' See trace file for more details.

    I am at a total loss as to why these clients, which had no problems at one point, are now having permission issues.  As for browsing SYSVOL from the windows clients, it doesn't matter if I use FQDN\SYSVOL or DC\SYSVOL or domain.local\SYSVOL. I get a login prompt and Access Denied for all.

    Any thoughts?

    Thanks!

    Montag, 18. Juni 2018 16:54

Alle Antworten

  • port blocking? tombstoned clients? corrupted profile? take your pick brochacho.
    Montag, 18. Juni 2018 17:16
  • trying to gpupdate from a local account?
    Montag, 18. Juni 2018 17:17
  • There is no firewall on the clients that I'm testing.  I've tried removing and readding them to the domain.  I am logged on to the domain on the client with my admin ID.

    From the logs, it looks like some of the GPO's were applied successfully and the error message is related to the ones that did not complete successfully.  I traced the GUID back to two GPO's, one that uses a script (the script works fine when I test it on the client computers manually) and the other makes a registry change, I believe.


    • Bearbeitet fkruse Dienstag, 19. Juni 2018 16:13
    Dienstag, 19. Juni 2018 16:12
  • I get a login prompt and Access Denied for all.

    might want to check on your domain health.

    Dienstag, 19. Juni 2018 16:32
  • I have only one domain controller.  I have run "dcdiag" and I see no errors and of course, there are the clients that don't have problems.  What else can I check? 

    Thanks!



    • Bearbeitet fkruse Dienstag, 19. Juni 2018 16:51
    Dienstag, 19. Juni 2018 16:50
  • fresh install on a throwaway machine and test.

    if fresh install still errors -> points to DC -> no error -> points to your clients.

    Dienstag, 19. Juni 2018 16:54
  • Do you mean a fresh client install or server install?

    Dienstag, 19. Juni 2018 16:56
  • I just noticed something that may be important.  It appears that "gpupdate" has no problems on the Windows 10 clients and seems to fail on all of the Windows 7 clients.  I didn't have this problem before and I don't remember changing any of the GPOs.
    • Bearbeitet fkruse Dienstag, 19. Juni 2018 17:04
    Dienstag, 19. Juni 2018 17:04
  • client
    Dienstag, 19. Juni 2018 17:12
  • It appears that only the Windows 7 clients are having problems accessing "\\domain server\SYSVOL", the Windows 10 clients can all access SYSVOL and run "<g class="gr_ gr_21 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" data-gr-id="21" id="21">gpupdate</g>" without any problems.  Any thoughts on why this would be happening?
    • Bearbeitet fkruse Dienstag, 19. Juni 2018 17:26
    Dienstag, 19. Juni 2018 17:26
  • I just did a fresh windows 7 pro install and added the computer to the domain and I'm still having the same problem.  I get a login prompt when I try to browse "\\domain.local\SYSVOL" and when I try to log in using my admin credential I get "Access is denied".  I can access all shared folders except the SYSVOL and NETLOGON folders.
    • Bearbeitet fkruse Dienstag, 19. Juni 2018 18:26
    Dienstag, 19. Juni 2018 18:26
  • Are you able to access NETLOGON or SYSVOL if you remove the following security patch? KB4284842 
    Donnerstag, 12. Juli 2018 18:29