Announcement

Collapse
No announcement yet.

Access denied

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Access denied

    Hi all,

    I have a policy and it is not applied to a certain user.
    The reason is obvious:
    Because the user is filtered out (the user if member of a group that has "deny apply policy" set).



    I have checked the groups that have this applied, but it seems that the user is not part of any group in first hand. So it must be applied by group netsing.

    Now my question:
    Is there an easy way to see which group, without desecting every group?
    Desecting: Checking the member of and the members tab.

    I know it can't be done through GPMC and GPRESULT.
    [Powershell]
    Start-DayDream
    Set-Location Malibu Beach
    Get-Drink
    Lay-Back
    Start-Sleep
    ....
    Wake-Up!
    Resume-Service
    Write-Warning
    [/Powershell]

    BLOG: Therealshrimp.blogspot.com

  • #2
    Re: Access denied

    hi there, check this link. There is script that will help you to find group member ship of your users
    http://www.microsoft.com/technet/scr...4/hey0820.mspx
    I had similar problem once. Try to apply gp policy on the user directly and see what result will come. With us users group member ship was not updated to all DC's. Once the information was updated, group policy was working ok.
    Once my friend give full permission on group policy to group and test it. He had success. After that he took off full permission and leave read and apply. Group policy is working fine there. While investigating my problem. I read on one of the blog is to check group policy permission is from Active directory users and computer tempelate rather than GPMC.
    Hope these points will help you

    Comment


    • #3
      Re: Access denied

      Sorry didn't update the request with latest info:

      I see that the policy is filtered out (access denied) in the computer configuration.
      And that means that the computer object to which the policy is applied does have a "deny read" or a "deny apply group policy". Yet i have checked and dubble checked the computer membership, and the computer is only member of "Domain Computers".

      Like stated before the policy is applied (linked) to the OU that contains the computer object. The policy is applied to "Authenticated Users", only administrative personel groups have a "Deny apply policy" set. I have checked and dubble checked these groups and none of these groups contain any nested groups, nor do they contain any computer accounts.

      I have checked this again usign DSA.MSC as Ahmer suggested, but only come out with the same results as i had with GPMC.MSC. Which is logic as GPMC does the same as DSA, which is reading out the ACL's on the object.

      Ahmed, do not get me wrong, i am greatfull for any tip provided!
      So thanks for your reply, but it didn't help. Sorry.

      I am sure there iis something wrong with the ACL's applied to the object, and therefore asked the responsible team to copy the policy without keeping the ACL list.
      [Powershell]
      Start-DayDream
      Set-Location Malibu Beach
      Get-Drink
      Lay-Back
      Start-Sleep
      ....
      Wake-Up!
      Resume-Service
      Write-Warning
      [/Powershell]

      BLOG: Therealshrimp.blogspot.com

      Comment

      Working...
      X