none
DirectAccess setup fails when configuring GPOs RRS feed

  • Question

  • Hi all

    One of my customers has an issue with setting up DirectAccess.  The error (when run from Powershell) is shown below...

    VERBOSE: Retrieving server GPO details...
    VERBOSE: Clearing existing stale configuration settings. This might take a few minutes... 
    VERBOSE: Checking the specified adapters...
    VERBOSE: Deploying the Remote Access server behind NAT...
    VERBOSE: Checking the network location server certificate...
    VERBOSE: Checking the network location server URL...
    VERBOSE: Checking the specified adapters...
    VERBOSE: Checking for a native IPv6 deployment...
    VERBOSE: Verifying the IP-HTTPS certificate...
    VERBOSE:  Deploying DirectAccess with two network adapters (External adapter: Ethernet 2, Internal adapter: Ethernet)...
     ISATAP is used in the internal network.
    VERBOSE: Retrieving internal network DNS settings...
    VERBOSE: Verifying the GPO to write settings...
    VERBOSE: Checking GPO edit permissions...
    VERBOSE: Creating GPO link if not present...
    Install-RemoteAccess : You do not have the required permissions to edit the GPO DirectAccess Server Settings in domain contoso.com.
    At line:1 char:1
    + Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (contoso.com\DirectAccess Server Settings:root/Microsoft/...PS_RemoteAccess) [Install-RemoteAccess], Ci
       mException
        + FullyQualifiedErrorId : REMOTEACCESS 116,Install-RemoteAccess
     
    Install-RemoteAccess : Access is denied.
    At line:1 char:1
    + Install-RemoteAccess -NoPrerequisite -Force -PassThru -ServerGpoName 'contoso.com ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : PermissionDenied: (PS_RemoteAccess:root/Microsoft/...PS_RemoteAccess) [Install-RemoteAccess], CimException
        + FullyQualifiedErrorId : HRESULT 80070005,Install-RemoteAccess

    For this setup we pre-created the GPO objects because we use Advanced Group Policy Management (AGPM) and have removed the ability for Domain Admins to create new GPOs outside of AGPM.

    The error if run from the Wizard is "You do not have the required permissions to edit the GPO DirectAccess Server Settings".  The account that I run setup with definitely has the required permissions to edit the GPO.

    When I put WireShark on the target server for the DirectAccess setup, I can see it launch a LDAP query for the nTSecurityDescriptor attribute for the DirectAccess Server Settings GPO just before the failure.  So basically, the setup seems to grab the ACL associated with the GPO, runs some kind of validation against it and then seems to detect that some required permissions are not set on the GPO.  I have no idea what permissions the setup determines to be missing.

    Any thoughts on how to troubleshoot this further?  For example, is there any way to configure debug logging on the setup?

    Thanks


    Tony www.open-a-socket.com

    Thursday, August 18, 2016 8:26 PM

All replies

  • Hi Tony

    had a similar issue a few years ago - have you removed authenticated users at all - if so add back in but give read gpo ONLY and deselect apply. The other thing I remember is that the User must be a local admin on the da server and also run the console as an administrator. The DAAdmin must have Edit settings, delete, and modify security   permissions on the GPO (client and server)

    Kr

    John

    Wednesday, April 26, 2017 11:52 AM
  • Hi Tony, did you find a fix for this? I am also facing the same issues.
    Saturday, July 1, 2017 9:35 AM
  • Have you tried with domain admin credentials? Did you manually edit the GPO in ANY way (even permissions) - if so, don't, it's not supported.

    In addition, what's the domain/forest functional level? It should at least be 2008.

    Thursday, July 20, 2017 10:11 AM