Announcement

Collapse
No announcement yet.

Unable to write to netlogon or GPO logon folder

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Unable to write to netlogon or GPO logon folder

    Hi guys.

    Long time reader, first time poster etc

    I've just stepped into the end of an SBS2008 installation and went to apply some login scripts via group policy.

    I navigate to the appropriate GPO via Group Policy Management Console, edit and then 'show files' option. From here I cannot write to the folder. Any time I try to create a new file I get the 'You need permission to perform this action' dialog box come up. The only option is Try Again or Cancel.

    I get the same problem if I try to write to the NETLOGON folder also.

    I am logged in locally to the server and the user is a member of the Administrators group.

    I have checked that the permissions on the root of sysvol are all correct and normal.

    I've tried creating a new group policy object and writing to its logon folder, same result.

    Attached are the permissions for this folder as well as the list of effective permissions on this folder for the user that I am logged in as.

    I cannot modify any permission settings, I get access denied error.

    Have spent considerable time scouring the web for any similar problems but the only things that I could find pointed to IE enhanced security which is switched off, and UAC. I have modifed the local security policy to auto elevate permissions for UAC but I dont think it's applicable for what I'm trying to do here.

    Can anyone suggest anything?
    The fact that I'm an administrator and cannot change any permissions on these directories is making me think I need to rebuild SYSVOL from scratch or something is majorly wrong.
    Attached Files

  • #2
    Re: Unable to write to netlogon or GPO logon folder

    In the screen-shot click on the owner tab and reclaim ownership of the file to the administrator account,

    If this does not work, I have noticed in the past, particularly in SBS2008, that it can sometimes prevent the administrator making certain changes, try creating a new administrator account for instance super.admin and assigning it to the domain admins group, and see if this resolves your problems

    Comment


    • #3
      Re: Unable to write to netlogon or GPO logon folder

      Since this is the Sysvol folder, be VERY careful about changing ownership as AD can run into problems if it cannot access it itself.

      Not 2008 (or SBS) but this link shows a way of restoring Sysvol permissions:
      http://technet.microsoft.com/en-us/l...33(WS.10).aspx
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Unable to write to netlogon or GPO logon folder

        Hi,
        hope this one didn't came to late and sorry for my english.

        The problem in my case was that the new Internet Explorer 7 was installt with the update function, disalbled the editing or opening from a intranet Site (\\somedomain\Sysvol) it was not a security problem on the system it was only a IE problem. I currently don't now the exact location on wich button you need to press but i totaly disabled (Securitylevel very low) the security wor the INTRANET (not internet) Network. I think you need to figure out which button to deaktivate on this security lvl so DON't DEACTIVATE THE SECURITY FOR EVER!!!

        I hope this helps. Pls post your experience!!!

        Dear
        Andreas

        Comment


        • #5
          Re: Unable to write to netlogon or GPO logon folder

          Originally posted by fox_hhtuml View Post
          Hi,
          hope this one didn't came to late and sorry for my english.


          Dear
          Andreas
          Makes perfect sense to me. Your English is fine.

          Comment


          • #6
            Re: Unable to write to netlogon or GPO logon folder

            Originally posted by fox_hhtuml View Post
            The problem in my case was that the new Internet Explorer 7 was installt with the update function, disalbled the editing or opening from a intranet Site (\\somedomain\Sysvol) it was not a security problem on the system it was only a IE problem.
            I agree.
            The upgrade to Internet Explorer 8 (for server 2003 in my case) seems possibly causing this also.

            You don't want to change the default NTFS and share permissions in the sysvol folder.
            Try first browsing to the sysvol folder locally, see if the problem is still there when you don't use the networkpath.

            If that helped, then try this,
            Add the domain to the list of local intranet sites (you can use a GPO to make the configuration on all computers):
            "Internet Options" / "Security tab" / "Local Intranet zone" /
            uncheck "require https" then add: \\domain.local\* to the list.


            \Rems
            Last edited by Rems; 18th May 2009, 21:52.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: Unable to write to netlogon or GPO logon folder

              Thanks for all the suggestions guys.

              I browsed to the sysvol folder locally as Rems said and I manage to get a continue button if I want to write to it so that will get me out of trouble. I feel pretty stupid for not trying this.

              I also tried adding the domain to the local intranet zone security but I got the same issue when browsing the other way.

              There is still something not quite right about its behaviour but at least I can map some damn networked drives

              Thanks again.

              Comment


              • #8
                Re: Unable to write to netlogon or GPO logon folder

                Browser to the "C:\Windows\sysvol\sysvol\YourDomainNameHere\" folder, there should be a "scripts" folder shown as shared. Right-click on the "scripts" folder and select the properties. Then take a look at the Shared tap. I suspect you'll find that Everyone has readonly permission to the share. You can either leave it with Everyone as readonly and add administrators with full access or change everyone to having full permission but then check the security tab and have authenticated users and domain computers with readonly access...

                Hope this helps.
                ian

                Comment

                Working...
                X