Announcement

Collapse
No announcement yet.

GPO Fails with "access is denied" error

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO Fails with "access is denied" error

    Hello,

    Working with a Windows Server 2K8 R2 domain. I have created a GPO that applies to a Win 2K8 Terminal Server. The purpose of the GPO is to change the default program in which files with extension "jpg" open with.

    The GPO looks like :

    User Configuration>Control Panel Settings>Folder Options>Open With:

    File Extension: jpg
    Associated Program: C:\Windows\System32\mspaint.exe
    Set as Default: Enabled

    Options

    Stop Processing items... NO
    Run in Logged-on user's security context YES
    Remove this item... NO
    Apply Once and do not reapply NO

    When the user logs in, the file is not reassociated and there is an event generated in the Event viewer:

    "The user 'jpg' preference item in the 'file associations {xxxxx}' Group policy object did not apply because it failed with the error code '0x80070005 Access is denied.' This error was suppressed

    I get the same error when I log in as the administrator as well as well. Anyone have any ideas what could cause this?

  • #2
    Re: GPO Fails with "access is denied" error

    That code is a standard authentication error for Windows, so something about the security of file associations on that TS box would be where to start. Are both the TS server and the user in the same OU? Are there any other settings in that Group Policy that are applying, or is this the only setting?

    Any groups appearing under security filtering of the GP? Maybe security context of the user isn't right for what amounts to a system setting? Haven't played with GP under 2008 yet, so am not sure of that one.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: GPO Fails with "access is denied" error

      Thanks for the reply. No the User and TS are not in the same OU. I've tested the policy alone and adding it to another policy. When I ran the one that was attached to the other policy, only the file association part errored, the other part (which was to start a logon script) ran fine. The gpo is not being filtered out, and the setting is showing as the winning GPO setting from GP results Wizard.

      Comment


      • #4
        Re: GPO Fails with "access is denied" error

        Try changing the single setting of the GP, "Run in Logged-on user's security context YES" to NO. It may be simply that it's trying to force a system change in policy as an authenticated user, even when an admin logs in, and the system change must be under system authority.

        I've not gotten into 2008/Win7 GP settings and behavior; tech refresh of our 2003 servers requires a new test system, and management keep reassigning our priorities to other things, so the new build isn't getting done.

        Just to be sure, though, you're setting a User policy to be applied in a User GP, not a Computer GP, right? Sounds like you are, just wanted to make sure.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          Re: GPO Fails with "access is denied" error

          Ok , still working on this.

          Tried changing the setting "run in logged on user's security" to no. Makes the 0X8007005 error go away and instead shows success in the group policy results wizard. Unfortunately, the program used to open jpgs remains windows photo viewer and does not change to mspaint.

          This setting is in user configuration, but is applied to a OU which contains terminal servers, not users, because I need the setting to only apply when users log into a terminal server. Is there some other way I should do it? Just to test, I instead applied the GPO to a OU containing users, and it does in fact change the associated program, only on their local PC. When they log into the terminal server, the setting is not carried over.

          So i then looked at a computer policy that does something similar and ran into the setting at computer configuration>control panel setting>folder options>New> File type

          Action: replace
          file extension: jpg
          Associated class: JPEG Image
          Actions: Open
          Application used to perform action: c:/windows.../mspaint.exe

          setting that results in sucess in the GP results wizard, but doesn't actually change the associations.

          Have any other ideas???

          Comment


          • #6
            Re: GPO Fails with "access is denied" error

            Look into loopback processing for GPs. It allows you to set a policy locally on a PC which will apply first as part of normal policy enforcement (followed by site, domain, then OUs), and then re-apply that first policy again as a last step.

            Example: we have a domain where we enforce a 5-minute screen lockout at desktops as a default domain setting. For conference rooms or training classrooms where the person logged in may not be touching the keyboard/mouse for more than 5 minutes, we use loopback processing with a local screen lockout policy of 60 minutes. So when a desktop user logs off his desk to chair a meeting, his desktop follows him as a roaming profile, and the screen lockout in the conference is 60 minutes, but loopback is set to merge, so all other settings remain in effect.

            It may have no effect, but since this is a terminal server, you set the local policy once and try it.
            *RicklesP*
            MSCA (2003/XP), Security+, CCNA

            ** Remember: credit where credit is due, and reputation points as appropriate **

            Comment


            • #7
              Re: GPO Fails with "access is denied" error

              Yah, I definately gave loopback processing a shot earlier, it had no affect.

              After trying to set this association with gpo, registry editor, login scripts, it just won't budge. The only thing that seems to work is logging in as the user, going in to control panel>default programs>and setting mspaint.exe as the default program to open a jpg file.

              So i've just spent 4 hours manually doing just that for all the users who required it, a not quick but very dirty solution which I hope does not need to be repeated. Thanks for your help on this RicklesP.

              Comment

              Working...
              X