2003 Group Policy - Failed to save

Posted on 2005-02-25
Medium Priority
Last Modified: 2010-09-22
I have run into a pretty major problem. I am attempting to tighten up some security on my domain controllers via the Local Domain controller security policies, but  now whenever i attempt to save a new setting i receive and error.

Security Templates:

an Extended Error has occurred.
Failed to save

I can no longer save any changes to my security policies. Also, i have begun to get 1030 event errors regarding the loading of Group Policies.

I have attempted to run the dcgpofix utility, but this has not appeared to fix the problem.

Question by:athelu
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
LVL 33

Expert Comment

ID: 13406589
7819 » Group Policy Processing on a Windows Server 2003 DC fails with 'Access Denied' and Application Event IDs 1058 and 1030?


LVL 33

Expert Comment

ID: 13406597
5168 » Group policies are NOT applied as expected on Windows XP, and the Application Event log contains Event ID 1058 and Event ID 1030?

LVL 33

Expert Comment

ID: 13406603
7561 » You receive event ID 1097 and event ID 1030 errors when a Windows Server 2003 domain controller starts?


Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 33

Expert Comment

ID: 13406609
7983 » Your Active Directory clients record event IDs 1030 and 1058?

LVL 35

Accepted Solution

Nirmal Sharma earned 2000 total points
ID: 13409618
>>>an Extended Error has occurred.

You have two default policies in Windows Domain Environemnt :-
      Default Domain Policy
      Default Domain Controller Security Policy

You are using Domain Controller Security Policy from Administrative Tools and is same as Default Domain Controller Security Policy defined at Domain Controllers OU in Active Directory Users and Computers and is pointing to same location in <domainname>\sysvol\<domainname>\policies\{GUID}

If this file is corrupted or there is something wrong with it then you need to restore default GPOs.

You need to re-create both policies to work properly: -


Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO and Default Domain Controller GPO to their original states in the event of a disaster where you cannot use GPMC. Dcgpofix.exe restores only the policy settings that are contained in the default GPOs at the time they are generated. The only Group Policy extensions that include policy settings in the default GPOs are RIS, Security, and EFS. Dcgpofix.exe does not restore other GPOs that administrators create; it is only intended for disaster recovery of the default GPOs.

Note that Dcgpofix.exe does not save any information created through applications, such as SMS or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003 and only works in a Windows Server 2003 domain.

Dcgpofix.exe is located in the C:\Windows\Repair folder. The syntax for Dcgpofix.exe is as follows:

DCGPOFix [/Target: Domain | DC | BOTH]
Table 2.1 describes the options you can use with the command line parameter /Target: when using the Dcgpofix.exe tool.

Table 2.1   Dcgpofix.exe Options for Using the /Target Parameter

/Target option: Description of option
DOMAIN Specifies that the Default Domain Policy should be recreated.
DC Specifies that the Default Domain Controllers Policy should be recreated.
BOTH Specifies that both the Default Domain Policy and the Default Domain Controllers Policy should be recreated.

***End Quote***

Download this tool from here: -

LVL 20

Expert Comment

ID: 13410709
SystmProg, Good Answer... Can I also add that for further etification, he can also export his policies so that he can get them back as well, if at this point it will not restore either or if restores to a point to far back.
Exporting policies to elsewhere has saved my bacon a time or two.

LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13417590
Please :-)

Author Comment

ID: 13419263
Allright- here is what it took to fix

i ran the dcgpofix command, and this successfully reset the domain controller security settings. However, once this was complete i began to receive 1202 errors. the specific was 0x4b8. In order to correct these, it was necessary to reset the local security database completely.

In order to do that i:
1. Rebooted the DC in safe mode
2. went to the c:\windows\security\ directory
3. created a new folder here and moved all of the edb* files into it.
4. went into the c:\windows\security\database\ directory
5. renamed the secedit.sdb file to secedit.old
6. launched a blank mmc windows. added the security configuration and analysis snap in.
7. directed it to open the non-existant secedit.sdb file, which then prompted me for which template to use. Chose the default domain security template and saved the console session to the desktop.
8. I rebooted the computer and my errors where now gone. However, this security DB change did not replicate to my other DCs.
9. Repeat this process on the other DCs.

this fixed my DC related problems, but once i rand the dcgpofix.exe command my exchange servers went offline. even after all of this i could not get them to successfully start up.  Problem turned out to be missing permissions. The dcgpofix command does not replicate changes made by the exchange install.

I re-ran the exchange /domain prep command, and this recreated the necessary permissions.

after that, all was good again.

and mov

Author Comment

ID: 13419280

Microsoft's recommendation is to NEVER modify the domain controller security policy of local domain security policy that appear on the administrative tools window.

instead, the suggest you only modify the default domain controller policy that exists on the domain controller OU in AD.
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13419326
>>>Microsoft's recommendation is to NEVER modify the domain controller security policy of local domain security policy that appear on the administrative tools window.

Yeah..correct...because it applies only to Domain Controllers and not domain members.

LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13419424

Please let me know if you have any other query :-)

Thanks again


Expert Comment

ID: 33738254
Do not use Dcgpofix.exe before reviewing KB 936483.  I wasn’t comfortable with overwriting any policy files unless it was recommended by Microsoft.

Sure enough I found a fix without losing any my policy settings.

Here’s the Microsoft fix I used:

You receive an error message and changes that you make to the default domain policy GPO are not saved to the Gpttmpl.inf file in Windows Server 2003


This issue may occur because of malicious software activity. This issue may also occur if user rights permissions are incorrectly set in the Gpttmpl.inf file.


To resolve this issue, follow these steps:
1.      Log off from the computer.
2.      Log on to the computer as a user who has administrative rights.
3.      Use antivirus software or the Microsoft Windows Malicious Software Removal Tool. Scan the computer and remove any malicious software that is found. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
890830  The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000
4.      Modify the Gpttmpl.inf file for the default domain policy. By default, the default domain policy GPO is where user rights are defined for a domain controller. By default, the Gpttmpl.inf file for the default domain policy GPO is located in the following folder:
%SystemRoot%\Sysvol\Sysvol\Domain Name\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Computer\Microsoft\Windows NT\SecEdit
To modify the Gpttmpl.inf file, follow these steps:
a.      Click Start, click Run, type %SystemRoot%\Sysvol\Sysvol\Domain Name\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Computer\Microsoft\Windows NT\SecEdit, and then click OK.
b.      Right-click Gpttmpl.inf, and then click Open.
c.      In the Gpttmpl.inf file, look for the following entry:
SeNetworkLogonRight = *S-1-5-32-544, *S-1-1-0
Note The value *S-1-5-32-544 represents the security identifier (SID) for the Administrators group. The value *S-1-1-0 represents the SID for the Everyone group.
d.      If you do not find the values that are mentioned in step c, add them to the SeNetworkLogonRight entry.
e.      Save the changes that you made to the Gpttmpl.inf file.
5.      Restart the computer.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question