none
Failed to open the Group Policy Object. Details: Network Access Denied

    Question

  • We are in the process of migrating users and computer from Domain A into Domain B. There is a 2-way trust but I don't think that comes into play here. My current Win7 workstation located in Domain A can access GPOs in Domain A for which I have been given access. No issues here. I received a new workstation that I staged in Domain B and could not edit GPOs in Domain A even though I performed a runas /user:domainA\admin "%systemroot\system32\mmc.exe %systemroot%\system32\gpmc.msc". I tried even adding switches /noprofile /netonly to no avail. So, I staged a VM running on my original Win7 workstation running Windows 10 and joining that VM to Domain A (thinking the machine needs to be located in the source domain). Same issue i.e., Group Policy Error "Failed to open the Group Policy Object. You might not have the appropriate rights.  Details:Network Access Denied"

    The reason I need to get another machine (other than my Win 7) working is that I need to migrate my current Win7 machine to the target domain but I am afraid I will lose the ability to edit GPOs.  I checked other posts (e.g., https://social.technet.microsoft.com/Forums/windowsserver/en-US/2f45750e-a15f-4ba6-9738-4cac524d93be/failed-to-open-the-group-policy-object-you-may-not-have-the-appropriate-rights-network-access-is?forum=winserverDS ) but it does not apply to my situation.

    Please help with suggestions on what may be the issue. It is not a perm issue as I am using the same admin account in Domain A and it works just great on my Win7 machine.

    Wednesday, November 02, 2016 3:22 PM

All replies

  • > Group Policy Object. You might not have the appropriate rights.
    > Details:Network Access Denied"
     
    Can you access the sysvol share in your domain A? What kind of network
    connection is in place between A and B?
     
    Wednesday, November 02, 2016 3:41 PM
  • The two domains are on the same network. All of my workstations (Current laptop Win7, Desktop Win10 joined to Domain B , and Windows 10 VM running on my laptop) are on the same subnet. On the Windows 10 VM, I can access the SYSVOL. I can even drill down into one of the GPOs in question, \\domainA\SYSVOL\domainA\Policies\GUID.  Again, I know it says perm issue but I am using the same account, e.g., admUser-DomainA.

    On Win7 laptop, I use runas with admUser-Domain A and all is good.

    On Windows 10 desktop, I use the same runas...no good.

    On Windows 10 VM running on the above laptop, using runas as above...no good.

    Wednesday, November 02, 2016 5:33 PM
  • > On Windows 10 desktop, I use the same runas...no good.
    > On Windows 10 VM running on the above laptop, using runas as above...no
    > good.
     
    Might be an issue with UNC hardening which was introduced with MS15-xyz
    and is enabled in W10 by default?!? Hard to guess...
     
    Wednesday, November 02, 2016 6:00 PM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 08, 2016 9:36 AM
    Moderator
  • Please go ahead and close the case.  The situation was resolved without any changes on my part. I wish I could have a better explanation but go ahead and consider this request closed.
    Tuesday, November 08, 2016 12:24 PM
  • Hi,

    Thanks for sharing your current progress.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 09, 2016 2:11 AM
    Moderator
  • Mind sharing what changes you made for the rest of us?
    Friday, November 11, 2016 2:38 PM
  • I wish I could but I made no changes and it was suddenly working.
    Friday, November 11, 2016 4:31 PM