none
Group Policy Results wizard Access Denied - which GPO settings stop this?

    Question

  • Greetings,

        We recently applied about 300 computer security settings to implement "best practice" for security hardening. One area that causes grief is that I cannot run the Group Policy Results wizard from the GPMC against machines that have those settings. I can run it fine on those machines that don't have the settings. I am a domain admin.

       I have looked through the 300 odd settings and cannot spot anything obvious that would stop RSOP from the GPMC. I know its not the firewall as we all run the same third party firewall. So does anyone have any clue on which GPO settings would break RSOP from the GPMC?

    Thanks

    David Z

    Monday, July 27, 2015 1:38 AM

Answers

  • I then removed the group policy with the security settings and I still could not rsop (after restarting of course). I then ran secedit with defltbase.inf and restarted and I could RSOP! So it was a tattoo setting that did it.
    Tuesday, July 28, 2015 10:05 PM

All replies

  • > grief is that I cannot run the Group Policy Results wizard from the GPMC
    > against machines that have those settings. I can run it fine on those
    > machines that don't have the settings. I am a domain admin.
     
    Check "Access this computer from the network"
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, July 27, 2015 12:30 PM
  • Hi,

    Could you please confirm the OS verison, can u run RSOP locally?Could you access those computers from network (RDP/ File share access)? I know u have said thats its not firewall but lets double check :) .

    Please use the below link to check DCOM permission on those machines. 

    http://msdn.microsoft.com/en-us/library/aa393266(VS.85).aspx  

     

    If the OS version on the problematic PC is XP, you can also refer to the following link:

     

    http://support.microsoft.com/kb/840634/en-us  

     

    If the issue persists, please help gather the following information for further research:

     

    Event log on DC

    ==============

    1. Click "Start", click “Run”, input "eventvwr" and press Enter.

    2. Expand the "Windows Logs" node on the left pane, right-click on "Application" and click "Save All Events As"; in the pop-up window, click to choose the Desktop icon on the left frame, input "app" in the "File name" blank, and then click save.

    3. Right click on "System", with the same method, save it as "sys".

    4. Locate the two saved log files on the Desktop and send them to us.

    Please upload these details to skydrive or google share drive and share the link, will revert asap.


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, July 27, 2015 1:31 PM
  • access this computer from the network is BUILTIN\Administrators of which I am a member.
    Monday, July 27, 2015 9:27 PM
  • Thanks. The target machine is running Win7 SP1. I have no access to it and therefore cannot run RSOP locally. Cannot access c$ either. Or event viewer. DCOM permissions have not changed.

    I am in an environment where I cannot upload to google share drive or dropbox or anything.

    Cheers

    David Z

    Monday, July 27, 2015 9:31 PM
  • > access this computer from the network is BUILTIN\Administrators of which
    > I am a member.
     
    I forgot - there's "deny access to this computer from the network", too :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, July 28, 2015 7:38 AM
  • Hi Dave,

    Please correct me if I am wrong, You are a domain admin and u cannot access those machines from network(RDP/File share access) and you cannot login locally(to the domain) to the computer as you do not have access to those machines?

    If possible could you please check in local users & groups on those computer and see if domain admin is removed form administrator groups.

    This seems to be an access issue.  


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, July 28, 2015 10:30 AM
  • Ive managed to get a physical machine I have access too.

    So I did the following tests:

    1. No security settings - RSOP works fine

    2. Applied security settings - RSOP tells me access denied.

    I can remote in using the event viewer and I have verified that domain admins is a member of the local administrators group. I have also verified that I have full control over the computer object.

    So its an obscure setting - maybe registry access?

    Tuesday, July 28, 2015 9:35 PM
  • I then removed the group policy with the security settings and I still could not rsop (after restarting of course). I then ran secedit with defltbase.inf and restarted and I could RSOP! So it was a tattoo setting that did it.
    Tuesday, July 28, 2015 10:05 PM