Access denied updating a Distribution Point

Author
jdavis375
Expert Member
  • Total Posts : 265
  • Scores: 34
  • Reward points: 26150
  • Joined: 2006/05/01 23:12:38
  • Location: Minneapolis, MN
  • Status: offline
2007/05/15 16:59:20 (permalink)
0

Access denied updating a Distribution Point

I am attempting to update the distribution points on a package. I right click the package and choose to “Update Distribution Points”. It does not update. I checked the SMS_DISTRIBUTION_MANAGER messages and I have a message that looks like:
>>>>>>>>>>>>>>> 
SMS Distribution Manager failed to access the source directory "\\server\share\app" for package "XYZ00099". The operating system reported error 5: Access is denied.
>>>>>>>>>>>>>> 
 
My site is running Advanced Security, so I have already confirmed that the site system (server name) account has permission both on the share and the NTFS permissions. I even have looked on the “effective permissions” tab and confirmed that the server account has permission. It has Full Control rights to the share/folder.
 
I know many people have had issues that caused this error. All of the solutions I found on the forum were related to giving the server account permissions. My server account already does have the permissions.
 
One more note…to check on the access denied garbage, I looked turned on auditing for both my admin account and the SMS server account. If I access the share using my admin account, I see audit messages in the log. If I update the DP, there are no entries in the log. It’s almost like the server isn’t even getting to the share.
 
Any clues? I am officially baffled.
 
Thanks in advance.
 
Jarvis
#1

12 Replies Related Threads

    skissinger
    Expert Member
    • Total Posts : 5126
    • Scores: 504
    • Reward points: 202880
    • Joined: 2001/09/13 09:11:00
    • Location: Sherry Kissinger
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/15 18:25:18 (permalink)
    0
    one trick to see if the servername does really have access to that source using it's credentials, at the server, at a command prompt:
     
    at <1 minute into the future> /interactive "cmd.exe"   (like   at  17:23 /interactive "cmd.exe")
     
    Then, at 17:23, a command prompt will open, and it will have the credentials of the system account.  Try to view the source directory \\server\share\app for your package.  If you cannot do so, it is still permissions--somewhere, somehow.

    mofmaster@myitforum.com
    My Blog
    Microsoft MVP 2007-2015 - ConfigMgr
    #2
    mhurley
    Expert Member
    • Total Posts : 101
    • Scores: 5
    • Reward points: 6140
    • Joined: 2004/02/12 13:33:39
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/16 08:38:47 (permalink)
    0
    We had a similar issue in the past that was specifically related to McAfee antivirus on the server running real time scan when the package was trying to decompress to the share. Even though we had exclusions in place to stop McAfee from scanning, it continued to scan and caused the block.
     
    Also, I would personnaly change the Share permissions to Everyone - Full Control and remove all other Share permissions, then use NTFS permissions to grant the machine account full rights to the share and all subfolders and files.
    #3
    jdavis375
    Expert Member
    • Total Posts : 265
    • Scores: 34
    • Reward points: 26150
    • Joined: 2006/05/01 23:12:38
    • Location: Minneapolis, MN
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/16 13:46:20 (permalink)
    0
    First off...thanks to both of you. I have ruled out our AV as an issue. I already had Everyone FC on the share. Also, I had already done the cmd prompt as system that Sherry mentioned. When I did that, I still got access denied...even though looking at the effective permissions on the folder showed the system as having full control.
     
    Now...an update...it gets interesting. There has been one server that I can connect as the system account (interactive cmd prompt and using pushd to connect to the share). Every other server failed...I had set up temporary shares on about five other servers to test. In trying to figure out what was unique about that server it finally occurred to me that it is the only one of the bunch that the OS is Server 2003 x64 edition. So...I hunted down another x64 edition server, set up the share (identical to the way I had set it up on every other machine)...and was able to successfully connect as local system.
     
    So...all 32bit servers fail. The two x64 systems succeed. Has there been some patch in the last month that would have possibly garbled this kind of connection? Anything else anyone can think of that would fit this scenario?
     
    Jarvis
    #4
    eschloss
    Expert Member
    • Total Posts : 612
    • Scores: 27
    • Reward points: 30880
    • Joined: 2004/09/07 09:46:15
    • Location: Cincinnati
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/16 15:02:04 (permalink)
    0
    Have you tried giving the SMS Server explicit access to the share instead of just everyone?  I have had shares where I had Everyone Read access specified, but computer accounts could not connect.  Once I added Domain Computers and gave them read access, it was fine.
    #5
    jdavis375
    Expert Member
    • Total Posts : 265
    • Scores: 34
    • Reward points: 26150
    • Joined: 2006/05/01 23:12:38
    • Location: Minneapolis, MN
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/16 15:14:09 (permalink)
    0
    Yep...already tried that. Still didn't work.

    Thanks.

    Jarvis
    post edited by jdavis375 - 2007/05/16 16:19:53
    #6
    skissinger
    Expert Member
    • Total Posts : 5126
    • Scores: 504
    • Reward points: 202880
    • Joined: 2001/09/13 09:11:00
    • Location: Sherry Kissinger
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/16 22:57:14 (permalink)
    0
    Just a couple things to try.  It's basically stuff I look at/redo when I'm baffled.  1) Verify that the computer accounts are in the others' local Administrators groups.  I know they don't have to be... but it's something to try (reboot the servers to make it effective).  Personally, I have an AD group which contains all of my SMS site servers' computer accounts, and then I just add that AD Group to every server's local Admin group.  2) Dcom permissions.  Never hurts to check those.  3)  a Site Reset  (never hurts)

    mofmaster@myitforum.com
    My Blog
    Microsoft MVP 2007-2015 - ConfigMgr
    #7
    phaustein
    Expert Member
    • Total Posts : 1061
    • Scores: 40
    • Reward points: 4660
    • Joined: 2005/03/21 17:42:28
    • Location: Washington, DC
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/16 23:11:27 (permalink)
    0
    Is this the only package that is having this problem?  Just a thought, try copying the contents of the package source files to a different folder and reconfigure the package in the console to find the new source. You might also want to try creating a new package using either of the source files.  And last but not least and most people laugh at this, but try rebooting the server (if you haven't already).  One would be suprised how much good a reboot does at times.

    Hope this helps.
    Paul
    #8
    jdavis375
    Expert Member
    • Total Posts : 265
    • Scores: 34
    • Reward points: 26150
    • Joined: 2006/05/01 23:12:38
    • Location: Minneapolis, MN
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/17 08:38:24 (permalink)
    0
    Paul...unfortunately it's all of my packages. They were all working for a couple of years...and they all stopped working recently. Because it was everything, I originally thought my DP had gone belly up. But the more I have dug into the problem, the more it looks more specific than that. It's just weird that it only seems to affect shares that are on 32bit boxes. It does not affect shares on x64 machines. Heck, I even created a share on an XP workstation to see if it could access the files...and it couldn't. It just seems that any share it tries to connect to as the machine account fails. I can use my admin account to connect to the same shares. The perms for my account vs the machine account are identical. It's just strange.
     
    Thanks,
    Jarvis
    #9
    jdavis375
    Expert Member
    • Total Posts : 265
    • Scores: 34
    • Reward points: 26150
    • Joined: 2006/05/01 23:12:38
    • Location: Minneapolis, MN
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/17 08:38:51 (permalink)
    0
    Thanks for the ideas Sherry. Which DCOM permissions in particular should I check? The only ones I've messed with before are the ones that affect reporting points. I'm currently trying adding the SMS servers group to the local admins group...waiting on the server to reboot. I think I've tried this already to no avail, but I can't remember. If that doesn't work, I may be up for a site reset.
     
    Thanks,
    Jarvis
    #10
    skissinger
    Expert Member
    • Total Posts : 5126
    • Scores: 504
    • Reward points: 202880
    • Joined: 2001/09/13 09:11:00
    • Location: Sherry Kissinger
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/17 08:51:45 (permalink)
    0
    The DCOM launch permissions here:  http://www.microsoft.com/technet/sms/2003/library/techfaq/tfaq02.mspx, under "Windows Server 2003 SP1".  I don't think they'll really apply for you in this particular case--it's just something I always check when something wierd is going on.

    mofmaster@myitforum.com
    My Blog
    Microsoft MVP 2007-2015 - ConfigMgr
    #11
    jdavis375
    Expert Member
    • Total Posts : 265
    • Scores: 34
    • Reward points: 26150
    • Joined: 2006/05/01 23:12:38
    • Location: Minneapolis, MN
    • Status: offline
    RE: Access denied updating a Distribution Point 2007/05/24 14:20:53 (permalink)
    5 (1)
    Just an update...got this fixed. 21 hours on the phone with Microsoft. It was a name resolution issue. I typed up and posted a full run down at the following link:
    http://www.myitforum.com/forums/m_157703/mpage_1/key_/tm.htm#157703
     
    Jarvis
    #12
    Guest
    Expert Member
    • Total Posts : 120
    • Scores: 0
    • Reward points: 0
    • Joined: 2002/06/01 05:49:42
    • Location: Orlando, FL
    • Status: online
    RE: Access denied updating a Distribution Point 2010/09/15 15:27:38 (permalink)
    0
    Thank you Couples of weeks work than I find this link to resolve the same issue with SCCM.
    Owe you a drink if you are ever in Town!
    #13
    Jump to:
    © 2018 APG vNext Commercial Version 5.5