brikeyes
asked on
Windows cannot query for the list of group policy objects
For the past couple of days, the following error has been popping up in my Application Log on my server - . After this error is thrown, it is followed by about 1500 other errors all stating that "Windows cannot query for the list of Group Policy Objects. A message that describes the reason for this was previously logged by this Policy Engine".
the previous error is
Windows cannot access the file gpt.ini for GPO The file must be present at the location <>. (). Group Policy processing aborted.
why is this happening ?????
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have looked at the rights to the folders you listed here and they seem to be ok , they are not exactly as you specified but i have compared them to a server that is identical to the one having the issue . I am sure that the rights have not changed at all
can you explain what the command does secedit /configure /cfg %windir%\repair\secsetup.i
can you explain what the command does secedit /configure /cfg %windir%\repair\secsetup.i
ASKER
that worked with out a reboot !!!!!!
thanks so much !!!!!
thanks so much !!!!!
Source: http://66.102.7.104/search?q=cache:CtGSKzuexQQJ:myitforum.techtarget.com/articles/21/view.asp%3Ftrack%3DNL-36%26ad%3D493164%26id%3D4826+secedit+/configure+/cfg+%25windir%25%5Crepair%5Csecsetup.inf+/db+secsetup.sdb+/verbose&hl=en
Secedit Parameters
• /configure - Specifies that Secedit.exe should set system security settings.
• /DB filename - Provides the path to a database that contains the security template to be applied. This is a required argument, but the database file does not have to exist if you use the /CFG switch to specify a security template.
• /CFG filename - This argument is only valid when you use it with the /DB parameter. It is the path to the security template that will be imported into the database and applied to the system. If you do not specify this argument, the template that is already stored in the database will be applied.
• /overwrite - This argument is only valid when the /CFG argument is also used. This specifies whether the security template in the /CFG argument overwrites any template or composite template that is stored in the database instead of appending the results to the stored template. If this is not specified, the template in the /CFG argument will be appended to the stored template.
• /areas AreaName1AreaName2... Specifies the security areas to be applied to the system. The default is "all areas." Each area must be separated by a space.
AreaNameX - Description
SECURITYPOLICY - Local policy and domain policy for the system, including account policies, audit policies, and other policies.
GROUP_MGMT - Restricted group settings for any groups that are specified in the security template.
USER_RIGHTS - User logon rights and granting of privileges.
REGKEYS - Security on local registry keys.
FILESTORE - Security on local file storage.
SERVICES - Security for all defined services.
NOTE: Each of these areas coincide with similar names in the Security Template.
• /log logpath - You can use this switch to configure the location of the log file that tracks the changes.
• /verbose - Specifies more detailed progress information.
• /quiet - Minimize the amount of feedback that is provided during the update on the screen and in the log file.
NOTE: For online help about Secedit, click Start, click Run, type %windir%\help\secedit.chm,
NOTE: Security Templates Included in the %windir%\Security\Template
• Compatws.inf - Relaxes the default file and registry permissions for the Users group in a manner that is consistent with the requirements of most non-certified programs. Typically the Power Users group is used to run non-certified programs. See online help for more information.
• Hisecdc.inf - A superset of securedc. Provides more restrictions on LanManager authentication and more requirements for the encryption and signing of secure channel and SMB data. To apply hisecdc to a domain controller, all of the domain controllers in all trusted or trusting domains must be running Windows 2000 or later. See online help for more information.
• Hisecws.inf - A superset of securews. Provides more restrictions on LanManager authentication and more requirements for the encryption and signing of secure channel and SMB data. To apply hisecws to a member, all domain controllers that contain accounts of all users who logon to the client must be running Microsoft Windows NT 4.0 Service Pack 4 (SP4) or later. See online help for more information.
• Rootsec.inf - Applies default root permissions to the operating system partition and propagates them to child objects that are inheriting from the root. The propagation time depends on the number of unprotected child objects. See online help for more information.
• Securedc.inf - Provides enhanced domain account policies, limits the use of LanManager authentication, and provides more restrictions on anonymous users. If a domain controller is configured with securedc, a user with an account in that domain cannot connect to any member server from a LanMan only client. See online help for more information.
• Securews.inf - Provides enhanced local account policies, limits the use of LanMan authentication, enables server-side SMB signing, and provides more restrictions on anonymous users. To apply to a domain member, all domain controllers that contain accounts of all users who logon to that member must be running Windows NT 4.0 SP4 or later. See online help for more information.
• Setup Security.inf - Out of box default security settings.
Secedit Parameters
• /configure - Specifies that Secedit.exe should set system security settings.
• /DB filename - Provides the path to a database that contains the security template to be applied. This is a required argument, but the database file does not have to exist if you use the /CFG switch to specify a security template.
• /CFG filename - This argument is only valid when you use it with the /DB parameter. It is the path to the security template that will be imported into the database and applied to the system. If you do not specify this argument, the template that is already stored in the database will be applied.
• /overwrite - This argument is only valid when the /CFG argument is also used. This specifies whether the security template in the /CFG argument overwrites any template or composite template that is stored in the database instead of appending the results to the stored template. If this is not specified, the template in the /CFG argument will be appended to the stored template.
• /areas AreaName1AreaName2... Specifies the security areas to be applied to the system. The default is "all areas." Each area must be separated by a space.
AreaNameX - Description
SECURITYPOLICY - Local policy and domain policy for the system, including account policies, audit policies, and other policies.
GROUP_MGMT - Restricted group settings for any groups that are specified in the security template.
USER_RIGHTS - User logon rights and granting of privileges.
REGKEYS - Security on local registry keys.
FILESTORE - Security on local file storage.
SERVICES - Security for all defined services.
NOTE: Each of these areas coincide with similar names in the Security Template.
• /log logpath - You can use this switch to configure the location of the log file that tracks the changes.
• /verbose - Specifies more detailed progress information.
• /quiet - Minimize the amount of feedback that is provided during the update on the screen and in the log file.
NOTE: For online help about Secedit, click Start, click Run, type %windir%\help\secedit.chm,
NOTE: Security Templates Included in the %windir%\Security\Template
• Compatws.inf - Relaxes the default file and registry permissions for the Users group in a manner that is consistent with the requirements of most non-certified programs. Typically the Power Users group is used to run non-certified programs. See online help for more information.
• Hisecdc.inf - A superset of securedc. Provides more restrictions on LanManager authentication and more requirements for the encryption and signing of secure channel and SMB data. To apply hisecdc to a domain controller, all of the domain controllers in all trusted or trusting domains must be running Windows 2000 or later. See online help for more information.
• Hisecws.inf - A superset of securews. Provides more restrictions on LanManager authentication and more requirements for the encryption and signing of secure channel and SMB data. To apply hisecws to a member, all domain controllers that contain accounts of all users who logon to the client must be running Microsoft Windows NT 4.0 Service Pack 4 (SP4) or later. See online help for more information.
• Rootsec.inf - Applies default root permissions to the operating system partition and propagates them to child objects that are inheriting from the root. The propagation time depends on the number of unprotected child objects. See online help for more information.
• Securedc.inf - Provides enhanced domain account policies, limits the use of LanManager authentication, and provides more restrictions on anonymous users. If a domain controller is configured with securedc, a user with an account in that domain cannot connect to any member server from a LanMan only client. See online help for more information.
• Securews.inf - Provides enhanced local account policies, limits the use of LanMan authentication, enables server-side SMB signing, and provides more restrictions on anonymous users. To apply to a domain member, all domain controllers that contain accounts of all users who logon to that member must be running Windows NT 4.0 SP4 or later. See online help for more information.
• Setup Security.inf - Out of box default security settings.
Thank you so much! This worked for me too, no reboot required!
Worked for me too !!
Thanks a million! It actually DID WORK for me as well!
Didn't work for me, any further ideas?
Worked for me too I hope LOL
Dear Team I also have the same problem . Ihave the Sysvol installed in the other drive apart from the system partiotion can you pls tell steps to follow for the same (path for sysvol =E:\WINNT)
Will be very grateful . Again what if i cancel the command in between.
Thanks
Zaheer
Will be very grateful . Again what if i cancel the command in between.
Thanks
Zaheer
worked for me, will update if it comes back, thanks!!
secedit /configure /cfg %windir%\repair\secsetup.i
I was haveing the same problem, and i ran the command line above
and then gpupdate
my server installation is on the D drive
Now all users cannot connect to my Exchange Server, and the error in the exchange app log says
The Exchange server does not have audit security privelege on the Domain Controller, and it will not be used by ds access
Is there any way i can undo what ive done
Please help!!!
I was haveing the same problem, and i ran the command line above
and then gpupdate
my server installation is on the D drive
Now all users cannot connect to my Exchange Server, and the error in the exchange app log says
The Exchange server does not have audit security privelege on the Domain Controller, and it will not be used by ds access
Is there any way i can undo what ive done
Please help!!!
Correct permissions to read the SACL may have been reset.
Put in Exchange 2007 cd and run this command to fix the problem.
setup /PrepareAD
Put in Exchange 2007 cd and run this command to fix the problem.
setup /PrepareAD
wirelessadmin,
I know this question and answer is quite dated, but I have a windows 2003 DC that is generating the same error. Should I be able to institute this solution on my DC without any additional information?
I know this question and answer is quite dated, but I have a windows 2003 DC that is generating the same error. Should I be able to institute this solution on my DC without any additional information?
Did the permissions change on any of the folders?