none
Advance Group Policy Management issue

    Question

  • We are running Windows Server 2012 R2 64 bit..  AGPM is version 4.2.22 after installing MS 16-072 KB3159398 and  MS 16-075 KB3161561 AGPM stopped working I can no longer get to change control folder.  AGPM service will not run.  I have removed these patches and Policies seem to be set correctly, however.  I cannot get to change control. When I try to open folder I get a MMC cannot initialize snappin.  Also log file has a config  error Failed to initialize Program files\Microsoft\AGPM\Server\AGPM.exe.config line 3 ...configuration schema error
     Also in an effort to fix issue I ran the following:

    Get-GPO -All | Set-GPPermissions -TargetType Group -TargetName "Domain Computers" -PermissionLevel GpoRead

    I get an Expection from HResult:0x80070005(E_ACCESSDENIED)

    Upon further research I have found that on my Domain Controller policy guid the icacls is showing duplicate and different values for I have

     for 3 users with different permissions and on my member server policy guid I have one user with different permissions how do I remove the incorrect icacls


    Thursday, August 11, 2016 11:58 AM

All replies

  • Hi,

    Did you try the following resolution?

    https://support.microsoft.com/en-us/kb/826282

    FrenchITGuy.com

    Thursday, August 11, 2016 12:05 PM
  • yes didn't help. Thanks!
    Thursday, August 11, 2016 7:44 PM
  • Hi,
    Regarding AGPM issue relating to MS 16-072, you could change the permissions for all managed GPO’s and add Authenticated Users Read permission. Here is a blog regarding AGPM issue relating to MS 16-072, the suggested steps are quoted as below:
    1.Re-import all Group Policy Objects (GPOs) from production into the AGPM database. This will ensure the latest copy of production GPO’s.
    2.Add either “Authenticated Users” or “Domain Computers” the READ permission using the Production Delegation Tab by selecting the security principal, granting the “READ” role then clicking “OK”
    3.Grant the selected security principal the “Read” role.
    4.Delegation tab depicting Authenticated Users having the READ permissions.
    5.Select and Deploy GPOs again. To modify permissions on multiple AGPM-managed GPOs, use shift+click or ctrl+click to select multiple GPO’s at a time then deploy them in a single operation. CTRL_A does not select all policies.
    Here is the blog link, please refer to for more details: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, August 15, 2016 5:51 AM
    Moderator
  • I have done all of the above, however AGPM service will not start. I get an error stating..cannot start service some services stop automatically if they are not in use by other service or programs....

    In the event log Configuration error

    Program\files\Microsoft\AGPM\Server\AGPM.exe config line 3 configuration schema Error?

    When you try to open up change control  you get a MMC error cannot initialize snap in.

    Error Text CoCreateInstance of the client remoting object failed HResult 0X0000000080040154 Class not Registered

    Monday, August 15, 2016 2:54 PM
  • Hi,
    Regarding this error, please check a similar thread as below and have a try Jesse’s reply to see if it works for you:
    Cannot get AGPM 4 SP3 Client to connect to server
    https://social.technet.microsoft.com/Forums/en-US/0df72570-9835-4913-b08c-175ee67ca907/cannot-get-agpm-4-sp3-client-to-connect-to-server?forum=mdopagpm
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 17, 2016 8:31 AM
    Moderator
  • Did this still no luck
    Wednesday, August 17, 2016 8:12 PM
  • No luck
    Wednesday, August 17, 2016 8:12 PM
  • I have removed AGPM and tried to re-install...

    As it tries to load AGPM Service ...system fails ....

    In event log it says AGPM Server Error 1920 Service Failed to start make sure yo have sufficient Privilege to start system service...I am system admin.....how could I verify this?

     Service cannot be started. System.TypeInitializationException: The type initializer for 'System.ServiceModel.DiagnosticUtility' threw an exception. ---> System.Configuration.ConfigurationErrorsException: Configuration system failed to initialize ---> System.Configuration.ConfigurationErrorsException: Unrecognized configuration section runtime. (C:\Program Files\Microsoft\AGPM\Server\Agpm.exe.Config line 3)
       at System.Configuration.ConfigurationSchemaErrors.ThrowIfErrors(Boolean ignoreLocal)
       at System.Configuration.BaseConfigurationRecord.ThrowIfInitErrors()
       at System.Configuration.ClientConfigurationSystem.EnsureInit(String configKey)
       --- End of inner exception stack trace ---
       at System.Configuration.ClientConfigurationSystem.EnsureInit(String configKey)
       at System.Configuration.ClientConfigurationSystem.PrepareClientConfigSystem(String sectionName)
       at System.Configuration.ClientConfigurationSystem.System.Configuration.Internal.IInternalConfigSystem.GetSection(String sectionName)
       at System.Configuration...               I really need for AGPM working any other Ideas.

    Wednesday, August 17, 2016 8:20 PM
  • Hi,
    Please have a try the account that is a member of the Domain Admins group
    Regarding to install AGPM, you could follow the article as below to have a try step by step, it included the requested account permission and anything others which need to be taken care.
    Step-by-Step Guide for Microsoft Advanced Group Policy Management 2.5
    https://technet.microsoft.com/en-us/itpro/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-25
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 22, 2016 1:54 AM
    Moderator
  • Still cannot install.  issue msiinstaller Event ID 1033..error status 1603 also event ID 11920 service failed to start insufficient priv... I have done a whoami...and I have Full privil. 

    I have removed all old folders.(From older version of AGPM.   I believe I have uninstall all old AGPM files and registry. I have tried to reinstall AGPM 4.0 SP2 and also AGPM 4.0 SP3. I get the same error.    I am not sure what to due other than stop using product, which I don't want to do. Any other advice would be greatly appreciated.

    Wednesday, August 24, 2016 9:08 PM
  • Did you ever find a resolution to this? I'm running into the same error on Server 2016.

    Dave Bradley

    Friday, March 23, 2018 8:54 PM
  • Hi,

    Create a new account and provide domain admin rights to the account and try to install/Start the service and post your findings.

    Thanks

    Syed


    Dont forget to mark as Answered if you found this post helpful.

    Saturday, March 24, 2018 1:56 AM