Microsoft KB Archive/931011

= You receive an &quot;Access Denied&quot; error message when a policy item is running on the client computer =

Article ID: 931011

Article Last Modified on 1/30/2007

-

APPLIES TO


 * Microsoft Desktop Optimization Pack for Software Assurance
 * PolicyMaker Registry Extension 1.0
 * PolicyMaker Registry Extension 2.0
 * PolicyMaker Share Manager 1.0
 * PolicyMaker Software Update 1.0
 * PolicyMaker Software Update 2.0
 * PolicyMaker Standard Edition 1.0
 * PolicyMaker Standard Edition 2.0
 * Profile Maker Professional 8.0
 * Profile Maker Professional 9.0

-



SYMPTOMS
In PolicyMaker, you create a policy item. You do not select the Run in logged-on user's security context check box for this policy item. When the policy item runs on the client computer, you receive an &quot;Access Denied&quot; error message.

You may also receive this error message when a policy item that you create in Profile Maker runs on the client computer in Administrative mode. You receive the error message if the policy item that you create does not have the In admin mode, run this item in the end-user’s security context check box selected.



CAUSE
When either scenario that are described in the &quot;Symptoms&quot; section occurs, the policy item runs on the client computer in the context of the Local System account. This account does not have the access permissions to network resources. Therefore, you receive an &quot;Access Denied&quot; error message when the policy item requires access to network resources. Typically, Drive Maps policy items and File policy items require network access. This problem also occurs when you use the Microsoft Software Installation Group Policy setting to install PolicyMaker clients.



RESOLUTION
To resolve this problem, follow these steps:
 * 1) Open the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
 * 2) Connect to the domain.
 * 3) In Active Directory Users and Computers, create a global security group.
 * 4) In the Properties dialog box for the global security group, add the client computers that require access to network resources. Add these client computers to the members of the global security group.
 * 5) On the server where the network resources reside, locate the shared folder that the client computers access.
 * 6) Right-click the folder, and then click Properties.
 * 7) Click the Sharing tab, and then click Permissions.
 * 8) In the Permissions dialog box, add the global security group that you created in step 2 to the Group or user names list.

Important You must follow this step. You must grant NTFS file system permissions in addition to file sharing permissions.
 * 1) Assign the Read permission to this global security group, and then click OK.
 * 2) Click the Security tab, and then add the global security group that you created in step 2 to the Group or user names list.
 * 3) Assign the Read permission and the Read & Execute permission to this global security group, and then clck OK.

Keywords: kbtshoot kbexpertiseinter kbprb KB931011

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.