none
New Svr2008R2 Domain Controller fails Group Policy with Error 5 Access is denied. RRS feed

  • Question

  • I've set up a new DC here running Windows Server 2008 R2, updated the domain with Adprep.exe, joined the server to the domain, and run DCPromo.exe. Replication is working, DNS is working, the SYSVOL share is accessible, but for some reason, Group Policy will not apply from this server. Whether it's logged in locally, or simulated from another PC via GPMC it fails with: "Error 5 Access is denied"

    In the server's system event log, Event ID 1055 from GroupPolicy shows up whenever someone logs in to the console.

    Has anybody else run into this problem before? Any clue how to fix it?

     

    Tuesday, July 26, 2011 9:58 PM

All replies

  • Hi,

     

    The error message “Access Denied” can be caused by the incorrect permission settings. Please refer to the following Microsoft TechNet blog for how to fix it.

     

    Group Policies and Access Denied

    http://blogs.technet.com/b/matthewms/archive/2005/10/29/413275.aspx

     

    For more information, please refer to the following Microsoft TechNet article:

     

    Event ID 1055 — Group Policy Preprocessing (Security)

    http://technet.microsoft.com/en-us/library/cc727272(v=WS.10).aspx

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, July 27, 2011 1:39 AM
    Moderator
  • Thanks for the response, Arthur_Li!

    It's definitely a permissions problem, the issue is _what_ permissions for "who"... I ran across of those links yesterday in my search. Unfortunately, that TechNet article for Event ID 1055 doesn't have anything at all listed for Error Code: 5 and the blog entry only addresses the permissions for a specific user. My problem was with the DC not having access to read it's own (and other) computer policies. The permissions for "ENTERPRISE DOMAIN CONTROLLERS" were missing from nearly all the GPOs on my domain.

    I was able to correct it using GPMC: http://support.microsoft.com/default.aspx?scid=kb;en-us;828760 so the machine policy applies correctly now, but there's still something wrong. AD DS Best Practices Analyzer is saying it cannot collect data about Group Policy Results even though I'm running it as a member of both the "Domain Admins" and "Enterprise Admins" group.

    Here's the snippet from the DirectoryServices_EngineReport.xml containing the error messages:

    - <Error>
      <Report>true</Report>
      <DataItem>Group Policy Results setting "Access this computer from the network"</DataItem>
      <Computer>the domain controller LIBRA</Computer>
      <Message>Some or all identity references could not be translated.</Message>
      <FullyQualifiedErrorId>DotNetMethodException</FullyQualifiedErrorId>
    - <Exception>
      <Type>System.Security.Principal.IdentityNotMappedException</Type>
      <Message>Some or all identity references could not be translated.</Message>
      </Exception>
      </Error>
    - <Error>
      <Report>true</Report>
      <DataItem>Group Policy Results setting "Enable computer and user accounts to be trusted for delegation"</DataItem>
      <Computer>the domain controller LIBRA</Computer>
      <Message>Some or all identity references could not be translated.</Message>
      <FullyQualifiedErrorId>DotNetMethodException</FullyQualifiedErrorId>
    - <Exception>
      <Type>System.Security.Principal.IdentityNotMappedException</Type>
      <Message>Some or all identity references could not be translated.</Message>
      </Exception>
      </Error>
    Any ideas?
    Wednesday, July 27, 2011 3:32 PM
  • Hi,

     

    Would you please collect the following diagnosis log files and upload them to me via network drive, such as Windows Live SkyDrive or others?

     

    Dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt

    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt (if more than one DC exists)

    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 2, 2011 2:54 AM
    Moderator
  • Been a while, but this is still an issue.

    Windows Live SkyDrive isn't working for me. It says "Theres a temporary problem." and i'm not sure how much I want this information posted publicly all over the internet. Any other suggestions?

    I'm pretty sure this is a problem with file replication failing. None of the stuff in the new DC's sysvol has been updated since July.

    Monday, November 7, 2011 10:37 PM
  • Funny stuff. It started replicating at 2am this morning on it's own...
    Tuesday, November 8, 2011 5:21 PM