Sep 26 2020 01:31 PM
I recently started getting a group policy access denied Exception on my windows server 2012r2 domain controller. Please help!
Here is the error. Happens every time I try to change domain policy objects:
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()
at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()
at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonApply_Click(Object sender, EventArgs e)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.AdmTmplEditor
Assembly Version: 6.3.0.0
Win32 Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/Microsoft.GroupPolicy.AdmTmplEditor/v4.0_6.3.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4210.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4210.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4190.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
Sep 26 2020 02:03 PM
Hi @kboroumand,
Are you a member to Group Policy Creator Owners or Domain Admins group?
Hasan Emre SATILMIŞ
Sep 26 2020 02:22 PM
Hi @kboroumand
Are any policies that you did not change created on this domain controller? Or are these policies created on a domain controller with a higher version operating system?
Sep 26 2020 02:27 PM
The last time I created a policy was several months ago but I used the same user and the same operating system. I only have one domain controller in this network environment. @hasanemresatilmis
Sep 26 2020 02:32 PM
Hi @kboroumand,
Could you check the configurations below?
1. ADSI Edit -> Default Naming Context -> DC=<Domain Name> -> CN=System -> CN=Policies
2. Right click to Policies and select Properties
3. Click to Security tab
4. Check your user or group permissions
Sep 28 2020 04:14 PM
Hi @hasanemresatilmis ,
Sorry for my late reply.
I checked the ADSI Edit permissions for CN=Policies. My admin user has full control of the objects listed here.
Sep 28 2020 11:55 PM
Hi @kboroumand,
Do you use an antivirus software on DC? Maybe antivirus software is protecting group policy files.
Can you create a new group policy?
Sep 29 2020 08:20 AM
Hi @hasanemresatilmis ,
Tuning off the anti virus is the first thing I tried. I even uninstalled it to be sure but that didn't seem to work. When I try to create a new group policy I get an access denied error like in the attached picture.
Sep 29 2020 11:18 AM
Hi @kboroumand,
Could you try these steps:
For Create, Edit and Delete New GPOs
1. Active Directory Users and Computers -> <Domain Name> right click -> Delegate Control -> Next -> Add -> Enter Your User Name -> Check Names -> OK -> Next
2. Select Delegate the following common tasks:
a. Manage Group Policy Links
b. Generate Resultant Set of Group Policy (Planning)
c. Generate Resultant Set of Group Policy (Logging)
3. Next -> Finish -> Logoff -> Logon
4. Group Policy Management -> Group Policy Objects -> Delegation tab (Right side) -> Add -> Enter Your User Name -> Check Names -> OK
For Edit Old GPOs
Select policy which you want to edit -> Delegation tab (Right side) -> Add -> Browse Your User Name
Permissions : Edit settings, delete, modify security -> OK
Sep 29 2020 12:09 PM
Hi @hasanemresatilmis ,
I followed your instructions.
Still getting this error when trying to edit group policy:
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
************** Exception Text **************
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()
at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()
at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonOK_Click(Object sender, EventArgs e)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.AdmTmplEditor
Assembly Version: 6.3.0.0
Win32 Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/Microsoft.GroupPolicy.AdmTmplEditor/v4.0_6.3.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4210.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4210.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4190.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------
************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.
For example:
<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
Sep 29 2020 01:01 PM - edited Sep 29 2020 01:06 PM
Hi @kboroumand,
Did you check security and sharing permissions these folders?
C:\Windows\SYSVOL\Sysvol\<DomainName>\Policies
\\DomainName\SYSVOL\<DomainName>\Policies
Could you give full control permission to SYSVOL folder for the user that you logged on?
Sep 29 2020 01:11 PM
Sep 29 2020 01:41 PM
Hi @kboroumand,
You have checked everything below and the problem was not solved.
1. The user for member of Group Policy Creator Owners and Domain Admins group
2. Operating System version
3. ADSI Edit permissions for CN=Policies
4. Antivirus software
5. Active Directory Users and Computers delegations for all domain
6. Group Policy Management delegations
7. SYSVOL folder security and sharing permissons
I was very surprised to this situation.
Finally, you can add a new user to the Domain Admins group and try to create a policy.
If that doesn't work, I wish you good luck
Oct 05 2020 02:17 PM
Hi @hasanemresatilmis ,
Hope you are doing well.
I got a chance to work on this issue again today and I noticed an error that you may be able to help me with. When I look at the Status tab of my GPMC it is listed that there are 0 domain controllers with replication in progress and 0 domain controllers with replication in sync.
I will add a screenshot.
Any help would be appreciated.
Oct 05 2020 11:30 PM
Hi @kboroumand,
There is no problem here. Because you have only one domain controller.
If you send me pictures which about for your user the below, I will try to help you for this problem.
1. Groups which your user's joined
2. Operating System version
3. The user's ADSI Edit permissions for CN=Policies
4. The user's SYSVOL folder security and sharing permissions
5. The user's Active Directory Users and Computers security permissions (DomainName -> System -> Policies)
6. The user's Group Policy Management delegations
7. A specific group policy delegation tab
Oct 06 2020 12:06 PM
Hi @hasanemresatilmis ,
Thanks I appreciate your time:
1. Administrators, Domain Admins, Domain Controllers, Enterprise admins, Group Policy Creator Owners, RDS Management Servers, Remote Desktop users, Server Operators, terminal server License servers, Windows Authorization Access Group.
2. Windows Server 2012 r2 Essentials.
3. I right click on the CN=Policies folder-->choose properties-->then advanced: I will send you a screenshot.
4. SySVOL permissions also attached screenshot. (I crossed out the name of my admin user acct)
5. AD policies permissions also attached screenshot.
6. GP Delegations also attached screenshot. (crossed out my admin username)
7. Specific policy delegation also attached with admin username crossed out.
Oct 06 2020 01:02 PM - edited Oct 06 2020 01:13 PM
Hi @kboroumand,
If your user is member of all of these groups, there should be no problems.
Could you check that configuration below?
Active Directory Users and Computers -> System -> Right click Policies and then Properties -> Security tab -> Permission of Domain Admins
Active Directory Users and Computers -> System -> Policies -> Right click a GPO and then Properties -> Security tab -> Permission of Domain Admins
The permissions of Domains Admins must be Read, Write, Create Child Object, Delete Child Object.
Also if these was changed, you should check the Default Domain Policy and Default Domain Controller Policy.
Oct 06 2020 02:07 PM
Oct 06 2020 02:08 PM
Oct 07 2020 01:53 AM
Solution
Hi @kboroumand,
Only Read and Write permissions are not enough.
The permissions of Domains Admins must be Read, Write, Create Child Object, Delete Child Object.