none
IGrouppolicyobject new method doubt

    Question

  • Hi..

    I am trying to create gpo programatically across forest using IGrouppolicyobject.

    For New method of IGrouppolicyobject:

    For 1st argument: Am passing LDAP://dcname/DC=domain,DC=com

    2nd argument: gpoName

    3rd argument: GPO_OPEN_READ_ONLY

    And before creating igrouppolicyobject interface's object, am impersonating (using LogonUser windows function) as the domain admin on which the gpo is getting created. And impersonation is successful.

    But am getting:

    Access is denied. - Error Code : 80070005

    when trying to create gpo using New method of IGrouppolicyobject.

    But am able to open the already existing gpo using OpenDSGPO method of IGrouppolicyobject successfully.

    Kindly guide me.

    Sunday, August 21, 2016 10:12 AM

Answers

  • Hi Routine,

    Thanks for your post.

    Access is denied. - Error Code : 80070005

    >>>Based on my experience. This may be caused by permission.

    And before creating igrouppolicyobject interface's object, am impersonating (using LogonUser windows function) as the domain admin on which the gpo is getting created. And impersonation is successful.

    >>>Have you impersonated as domain admins with a specific user (like administrator or a member of domain admins group) rather than domain admins group.

    In addition, you could achieve your goal by PowerShell.

    Group Policy Cmdlets in Windows PowerShell

    https://technet.microsoft.com/en-us/library/ee461027.aspx?f=255&MSPPError=-2147217396

    Enable and configure Windows PowerShell Remoting using Group Policy

    http://blog.powershell.no/2010/03/04/enable-and-configure-windows-powershell-remoting-using-group-policy/

    For suitable answer, I suggest you post your problem on MSDN forum below.

    https://social.msdn.microsoft.com/Forums/en-US/home

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 22, 2016 7:49 AM
    Moderator
  • Finally found the answer.

    Seems IGrouppolicyobject's new method is mistakenly reverting the impersonation done in the calling thread. So only the impersonation is not taking place. So created a new process with the required credentials to accomplish my task.

    Reference: https://shellexecute.wordpress.com/2008/11/18/igrouppolicyobjectnew-will-fail-if-thread-is-impersonating-or-identity-or-delegation/

    • Marked as answer by Routine User Tuesday, July 18, 2017 10:46 AM
    Tuesday, July 18, 2017 10:46 AM

All replies