M100858: ERROR: Can't retrieve Discretionary ACL for CN={...},CN=Policies,CN=System,DC=..., error 0x00000057

Summary

This article describes causes of and how to handle the error message "ERROR: Can't retrieve Discretionary ACL for CN={...},CN=Policies,CN=System,DC=..., error 0x00000057" that may appear in logging generated by the policy agent.

Symptoms

The following message appears in the ManageSoft Deployment Manager policy agent log when client side policy merging is performed:

ERROR: Can't retrieve Discretionary ACL for CN={...},CN=Policies,CN=System,DC=..., error 0x00000057

In ManageSoft Deployment Manager releases 7.6.4, 7.7.2 or 7.8.1 and later, the text used for this log message is:

INFORMATION: Can't read the permissions on linked GPO 'CN={...},CN=Policies,CN=System,DC=...', so it does not apply

Cause

This message indicates that the policy agent has been invoked to perform a client side policy merge using credentials that do not have full read access to the identified GPO (group policy object) in Active Directory.

It is typical for this to occur with at least one or two policies during a policy merge, as computer SYSTEM accounts and user accounts that are normally used to perform a policy merge will often not have full read access to all GPOs in Active Directory.

This message may indicate a potential problem if the policy merge operation generates a merged policy that does not contain packages that are expected to be there. If the GPO identified in the log message contains the packages that are missing from the merged policy, security settings will need to be configured on the GPO to grant read access to the account that is being used to invoke the policy agent (polmerge.exe).

Status

The logging of this message is by design, although its identification in the log as an "ERROR" when it is normal for the condition to occur can be confusing. ManageSoft Deployment Manager releases 7.6.4, 7.7.2 or 7.8.1 and later use a log message that identifies that lack of read access, but avoid describing the condition as an "ERROR".

Comments

Powered by Zendesk