2003 Group Policy - Failed to save

I have run into a pretty major problem. I am attempting to tighten up some security on my domain controllers via the Local Domain controller security policies, but  now whenever i attempt to save a new setting i receive and error.

Security Templates:

an Extended Error has occurred.
Failed to save

I can no longer save any changes to my security policies. Also, i have begun to get 1030 event errors regarding the loading of Group Policies.

I have attempted to run the dcgpofix utility, but this has not appeared to fix the problem.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

7819 » Group Policy Processing on a Windows Server 2003 DC fails with 'Access Denied' and Application Event IDs 1058 and 1030?


5168 » Group policies are NOT applied as expected on Windows XP, and the Application Event log contains Event ID 1058 and Event ID 1030?

7561 » You receive event ID 1097 and event ID 1030 errors when a Windows Server 2003 domain controller starts?


Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

7983 » Your Active Directory clients record event IDs 1030 and 1058?

Nirmal SharmaSolution ArchitectCommented:
>>>an Extended Error has occurred.

You have two default policies in Windows Domain Environemnt :-
      Default Domain Policy
      Default Domain Controller Security Policy

You are using Domain Controller Security Policy from Administrative Tools and is same as Default Domain Controller Security Policy defined at Domain Controllers OU in Active Directory Users and Computers and is pointing to same location in <domainname>\sysvol\<domainname>\policies\{GUID}

If this file is corrupted or there is something wrong with it then you need to restore default GPOs.

You need to re-create both policies to work properly: -


Dcgpofix.exe is a command-line tool that completely restores the Default Domain Policy GPO and Default Domain Controller GPO to their original states in the event of a disaster where you cannot use GPMC. Dcgpofix.exe restores only the policy settings that are contained in the default GPOs at the time they are generated. The only Group Policy extensions that include policy settings in the default GPOs are RIS, Security, and EFS. Dcgpofix.exe does not restore other GPOs that administrators create; it is only intended for disaster recovery of the default GPOs.

Note that Dcgpofix.exe does not save any information created through applications, such as SMS or Exchange. The Dcgpofix.exe tool is included with Windows Server 2003 and only works in a Windows Server 2003 domain.

Dcgpofix.exe is located in the C:\Windows\Repair folder. The syntax for Dcgpofix.exe is as follows:

DCGPOFix [/Target: Domain | DC | BOTH]
Table 2.1 describes the options you can use with the command line parameter /Target: when using the Dcgpofix.exe tool.

Table 2.1   Dcgpofix.exe Options for Using the /Target Parameter

/Target option: Description of option
DOMAIN Specifies that the Default Domain Policy should be recreated.
DC Specifies that the Default Domain Controllers Policy should be recreated.
BOTH Specifies that both the Default Domain Policy and the Default Domain Controllers Policy should be recreated.

***End Quote***

Download this tool from here: -


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SystmProg, Good Answer... Can I also add that for further etification, he can also export his policies so that he can get them back as well, if at this point it will not restore either or if restores to a point to far back.
Exporting policies to elsewhere has saved my bacon a time or two.

Nirmal SharmaSolution ArchitectCommented:
Please :-)
atheluAuthor Commented:
Allright- here is what it took to fix

i ran the dcgpofix command, and this successfully reset the domain controller security settings. However, once this was complete i began to receive 1202 errors. the specific was 0x4b8. In order to correct these, it was necessary to reset the local security database completely.

In order to do that i:
1. Rebooted the DC in safe mode
2. went to the c:\windows\security\ directory
3. created a new folder here and moved all of the edb* files into it.
4. went into the c:\windows\security\database\ directory
5. renamed the secedit.sdb file to secedit.old
6. launched a blank mmc windows. added the security configuration and analysis snap in.
7. directed it to open the non-existant secedit.sdb file, which then prompted me for which template to use. Chose the default domain security template and saved the console session to the desktop.
8. I rebooted the computer and my errors where now gone. However, this security DB change did not replicate to my other DCs.
9. Repeat this process on the other DCs.

this fixed my DC related problems, but once i rand the dcgpofix.exe command my exchange servers went offline. even after all of this i could not get them to successfully start up.  Problem turned out to be missing permissions. The dcgpofix command does not replicate changes made by the exchange install.

I re-ran the exchange /domain prep command, and this recreated the necessary permissions.

after that, all was good again.

and mov
atheluAuthor Commented:

Microsoft's recommendation is to NEVER modify the domain controller security policy of local domain security policy that appear on the administrative tools window.

instead, the suggest you only modify the default domain controller policy that exists on the domain controller OU in AD.
Nirmal SharmaSolution ArchitectCommented:
>>>Microsoft's recommendation is to NEVER modify the domain controller security policy of local domain security policy that appear on the administrative tools window.

Yeah..correct...because it applies only to Domain Controllers and not domain members.

Nirmal SharmaSolution ArchitectCommented:

Please let me know if you have any other query :-)

Thanks again

PFrazerIT Systems EngineerCommented:
Do not use Dcgpofix.exe before reviewing KB 936483.  I wasn’t comfortable with overwriting any policy files unless it was recommended by Microsoft.

Sure enough I found a fix without losing any my policy settings.

Here’s the Microsoft fix I used:

You receive an error message and changes that you make to the default domain policy GPO are not saved to the Gpttmpl.inf file in Windows Server 2003


This issue may occur because of malicious software activity. This issue may also occur if user rights permissions are incorrectly set in the Gpttmpl.inf file.


To resolve this issue, follow these steps:
1.      Log off from the computer.
2.      Log on to the computer as a user who has administrative rights.
3.      Use antivirus software or the Microsoft Windows Malicious Software Removal Tool. Scan the computer and remove any malicious software that is found. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
890830  The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Vista, Windows Server 2003, Windows XP, or Windows 2000
4.      Modify the Gpttmpl.inf file for the default domain policy. By default, the default domain policy GPO is where user rights are defined for a domain controller. By default, the Gpttmpl.inf file for the default domain policy GPO is located in the following folder:
%SystemRoot%\Sysvol\Sysvol\Domain Name\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Computer\Microsoft\Windows NT\SecEdit
To modify the Gpttmpl.inf file, follow these steps:
a.      Click Start, click Run, type %SystemRoot%\Sysvol\Sysvol\Domain Name\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Computer\Microsoft\Windows NT\SecEdit, and then click OK.
b.      Right-click Gpttmpl.inf, and then click Open.
c.      In the Gpttmpl.inf file, look for the following entry:
SeNetworkLogonRight = *S-1-5-32-544, *S-1-1-0
Note The value *S-1-5-32-544 represents the security identifier (SID) for the Administrators group. The value *S-1-1-0 represents the SID for the Everyone group.
d.      If you do not find the values that are mentioned in step c, add them to the SeNetworkLogonRight entry.
e.      Save the changes that you made to the Gpttmpl.inf file.
5.      Restart the computer.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.