Can't access default group policy

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Oy Vey!
I am unable to access the default domain policy (ddp) and
default domain controllers policy (ddcp).
We have a mirrored two-domain controller setup (with one
PDC and one BDC).
Going through Properties on the Domain Controllers OU, I
try to edit the ddcp, but receive the dreaded "Failed to
open the Group Policy Object. You may not have
appropriate rights. Details: The system cannot find the
path specified."
The Group Policy Editor MMC opens fine, so the MMC
permissions aren't the problem.
Also, under the Group Policy tab in the DC properties,
there are two "Default Domain Controllers Policy" links
shown--why is it duplicated? The GUID's are the same, but
I'm not able to alter them in any way without getting the
same error described above.
Checking the security settings for both the ddcp and ddp,
the Adminstrators group is not listed (and when I try to
add that group, I get a security warning, "Unable to save
permission changes on Default Domain Policy. The system
cannot find the path specified."
I inherited this server setup, so there aren't any system
state backups to restore the old GPO. What's my next step?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Remove the duplicate link for the ddcp.
Is the sysvol shared out on this machine?
If you go into your sysvol share under policies do you see folders that
start with 31b adn 6AC?
" The system cannot find the path specified" would make me want to ensure
that the policy files are all present under the sysvol folder. Check
permissions there as well.
Do you have any errors in event viewer that might point you into a specific
direction?

--
James Brandt [MSFT]


"Rex Dart" <anonymous@discussions.microsoft.com> wrote in message
news:3b9001c47f11$2de8f570$a601280a@phx.gbl...
> Oy Vey!
> I am unable to access the default domain policy (ddp) and
> default domain controllers policy (ddcp).
> We have a mirrored two-domain controller setup (with one
> PDC and one BDC).
> Going through Properties on the Domain Controllers OU, I
> try to edit the ddcp, but receive the dreaded "Failed to
> open the Group Policy Object. You may not have
> appropriate rights. Details: The system cannot find the
> path specified."
> The Group Policy Editor MMC opens fine, so the MMC
> permissions aren't the problem.
> Also, under the Group Policy tab in the DC properties,
> there are two "Default Domain Controllers Policy" links
> shown--why is it duplicated? The GUID's are the same, but
> I'm not able to alter them in any way without getting the
> same error described above.
> Checking the security settings for both the ddcp and ddp,
> the Adminstrators group is not listed (and when I try to
> add that group, I get a security warning, "Unable to save
> permission changes on Default Domain Policy. The system
> cannot find the path specified."
> I inherited this server setup, so there aren't any system
> state backups to restore the old GPO. What's my next step?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for the reply, James, but I was able to fix these problems.
There were two problems plaguing the server: 1) really messed up
NTFRS (replication, where the two DC's refused to replicate to one
another; 2) the SYSVOL netlogon share wasn't being shared out by one
of the servers; and 3) group policy couldn't be accessed. What I
eventually discovered was that the RestrictAnonymous setting had been
set to 2, which wasn't allowing the servers to create a secure channel
for replication, and therefore stopped replication. In trying to fix
that problem, somebody moved the contents of the SYSVOL share to
another folder (and those contents are the group policies that need to
be replicated across the domain). Once the RestrictAnonymous setting
was changed to 1, the SYSVOL share was created, and then I had to move
the contents of that folder into the proper SYSVOL folder
(%systemfolder%/SYSVOL/sysvol/domain name/).
After that, everything is back to speed again.

<jabrandt@online.microsoft.com> wrote in message news:<OPiGLdAgEHA.3476@tk2msftngp13.phx.gbl>...
> Remove the duplicate link for the ddcp.
> Is the sysvol shared out on this machine?
> If you go into your sysvol share under policies do you see folders that
> start with 31b adn 6AC?
> " The system cannot find the path specified" would make me want to ensure
> that the policy files are all present under the sysvol folder. Check
> permissions there as well.
> Do you have any errors in event viewer that might point you into a specific
> direction?
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom