This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 89%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Im receiving an "access is denied" error message on all of my replication groups when trying to run a health report:
There are no errors in the Windows server logs that help indicate any problem. The account I'm using to run the report has administrator rights on all of the file servers; I was able to recently add a new member to each replication group using the same account, no errors; the servers are all replicating fine. Any idea why I cant run these health reports?
I had earlier posted an answer that pointed to DNS record permissions as the source of this problem. Turns out that was not the case, the actual cause of the problem was that the user account was in the "Protected Users" AD security group. I don't know exactly what aspect of that group is causing the issue (NTLM authentication being blocked?), but the problem resolved once I removed our user account from that group.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
To make the question more clearly, please confirm the following questions:
Do you mean the user running the report was delegated administrative permission on the file servers or is a member of the local administrators group?
Did you delegate DFS-R management permission?
To create a diagnostic report, you must be a member of the local Administrators group on each server that you prepare a report for.
Best Regards,
Yes, the user account running the report has been delegated management permissions on each replication group as shown in your screenshot. The user account is also a member of Administrators on each DFSR member server.
Hi,
Try to capture a network package when try to generate the report and check if can get more details.
Check the replication status for your DCs, and make sure the permission delegation configuration was replicated to all the DCs.
Best Regards,