Failed to open group policy object

Posted on 2006-06-08
Last Modified: 2009-03-28
I have been given the task of fixing this issue and I dont know the events that let up to this.  The problem is that I am getting the following error when I try to open up the Group Policy Object:

Failed to open the group policy object.  You may not have appropriate rights.
Details: The system cannot find the path specified.

This domain is running two Win2k domain controllers, which from what I gather one was recently added and one was recently removed to replace an older server.  I have checked all the FSMO roles and they are fine.  However when I browse to WINNT/SYSVOL/SYSVOL/DOMAINNAME, the only folder in there is "DO_NOT_REMOVE_NtFrs_PreInstall_Directory" and nothing else.  So I am pretty sure that this is the problem.  How do I go about rebuilding the default domain controller policy with the minimal amout of impact on the domain.

Question by:brennon
    LVL 13

    Expert Comment

    by:Kini pradeep
    that would depend now on how many Dc's do you have in the domain,
    was the Dc removed gracefully ?
    and the Dc which was added had it replicated with the other DC's.

    1. how many Dc's currently in the domain, if more than one do any of the other have sysvol intact with all the folders.

    2. on the Dc under c:\winnt\sysvol do you see the following

    staging area and sysvol.
    under domain there would be policies and script and under policies are there the 31b and 6AC.
    what do you see under the DO_NOT_REMOVE_NtFrs_PreInstall_Directory

    3. type net share on cmd and does it show netlogon and sysvol.
    can you also run a Dcdiag /v on that dc and paste the errors.

    and if you need to recreate the policies then do you you certificate services or file encryptions in the domain?

    Author Comment

    There are currently 2 DC in the domain.  Yes the controller was gracefully removed.  I have checked both controllers and they are both showing the same thing, I do not see anything folders/files under the c:\winnt\sysvol\domain and there is nothing under DO_NOT_REMOVE_NtFrs_PreInstall_Directory.

    When i run net share I see the sysvol folder being shared but not netlogon.

    DC Diagnosis

    Performing initial setup:
       * Verifing that the local machine server11, is a DC.
       * Connecting to directory service on server server11.
       * Collecting site info.
       * Identifying all servers.
       * Found 2 DC(s). Testing 1 of them.
       Done gathering initial info.

    Doing initial non skippeable tests

       Testing server: MyDomain\Server11
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             * Active Directory RPC Services Check
             ......................... Server 11 passed test Connectivity

    Doing primary tests

       Testing server: MyDomain\Server11
          Starting test: Replications
             * Replications Check
             ......................... Server11 passed test Replications
          Test omitted by user request: Topology
          Test omitted by user request: CutoffServers
          Starting test: NCSecDesc
             * Security Permissions Check for
             * Security Permissions Check for
             * Security Permissions Check for
             ......................... Server11 passed test NCSecDesc
          Starting test: NetLogons
             * Network Logons Privileges Check
             ......................... Server11 passed test NetLogons
          Starting test: Advertising
             The DC Server11 is advertising itself as a DC and having a DS.
             The DC Server11 is advertising as an LDAP server
             The DC Server11 is advertising as having a writeable directory
             The DC Server11 is advertising as a Key Distribution Center
             The DC Server11 is advertising as a time server
             The DS Server11 is advertising as a GC.
             ......................... Server11 passed test Advertising
          Starting test: KnowsOfRoleHolders
             Role Schema Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Syne
             Role Domain Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Syne
             Role PDC Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Synergy
             Role Rid Owner = CN=NTDS Settings,CN=Server11,CN=Servers,CN=Synergy
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=Server33,CN=
             ......................... Server11 passed test KnowsOfRoleHolders
          Starting test: RidManager
             * Available RID Pool for the Domain is 10904 to 1073741823
             * is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 8392 to 8891
             * rIDNextRID: 8527
             * rIDPreviousAllocationPool is 8392 to 8891
             ......................... Server11 passed test RidManager
          Starting test: MachineAccount
             * SPN found :LDAP/Server11.MyDomain/MyDomain
             * SPN found :LDAP/Server11.MyDomain
             * SPN found :LDAP/Server11
             * SPN found :LDAP/Server11.MyDomain/MyDomain
             * SPN found :LDAP/fa4335b1-89b5-4087-b518-093cb0034635._msdcs.MyDomain
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fa4335b1-89b5-4087-
             * SPN found :HOST/Server11.MyDomain/MyDomain
             * SPN found :HOST/Server11.MyDomain
             * SPN found :HOST/Server11
             * SPN found :HOST/Server11.MyDomain/MyDomain
             * SPN found :GC/Server11.MyDomain/MyDomain
             ......................... Server11 passed test MachineAccount
          Starting test: Services
             * Checking Service: Dnscache
             * Checking Service: NtFrs
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: RpcSs
             * Checking Service: RPCLOCATOR
             * Checking Service: w32time
             * Checking Service: TrkWks
             * Checking Service: TrkSvr
             * Checking Service: NETLOGON
             * Checking Service: Dnscache
             * Checking Service: NtFrs
             ......................... Server11 passed test Services
          Test omitted by user request: OutboundSecureChannels
          Starting test: ObjectsReplicated
             Server11 is in domain DC=MyDomain,DC=com
             Checking for CN=Server11,OU=Domain Controllers,DC=MyDomain,
    =com in domain DC=MyDomain,DC=com on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=Server11,CN=Servers,CN=MyDomain,CN=
    tes,CN=Configuration,DC=MyDomain,DC=com in domain CN=Configuration,DC=
    MyDomain,DC=com on 1 servers
                Object is up-to-date on all servers.
             ......................... Server11 passed test ObjectsReplicated
          Starting test: frssysvol
             * The File Replication Service Event log test
             Error: No record of File Replication System, SYSVOL started.
             The Active Directory may be prevented from starting.
             ......................... Server11 passed test frssysvol
          Starting test: kccevent
             * The KCC Event log test
             Found no KCC errors in Directory Service Event log in the last 15 min
             ......................... Server11 passed test kccevent
          Starting test: systemlog
             * The System Event log test
             Found no errors in System Event log in the last 60 minutes.
             ......................... Server11 passed test systemlog

       Running enterprise tests on : MyDomain
          Starting test: Intersite
             Skipping site MyDomain, this site is outside the scope provided by the
             command line arguments provided.
             ......................... MyDomain passed test Intersite
          Starting test: FsmoCheck
             GC Name: \\Server11.MyDomain
             Locator Flags: 0xe00001fd
             PDC Name: \\Server11.MyDomain
             Locator Flags: 0xe00001fd
             Time Server Name: \\Server11.MyDomain
             Locator Flags: 0xe00001fd
             Preferred Time Server Name: \\Server11.MyDomain
             Locator Flags: 0xe00001fd
             KDC Name: \\Server11.MyDomain
             Locator Flags: 0xe00001fd
             ......................... MyDomain passed test FsmoCheck

    Author Comment

    One more thing, when I try to run DCdiag /v on the second DC i get the following error:
    C:\>DCdiag /v
    'DCdiag' is not recognized as an
    operable program or batch file.
    LVL 13

    Accepted Solution

    probably you do not have the support tools on the second DC.
    do you have a healthy sysvol with all the folders and policies on the other Dc ?
    so the policies and script folders are missing under the domain folder.
    its actually the scripts which is shared as netlogon by the system.
    can you stop and start the FRS on this machine and check for errors in the eventvwr.
    if the other Dc has the folder intact then we can have them replicated from the other else there is a tool for windows 2000 called recreatedefpol to create the default domain and domain controllers policy which can be downloaded from MS. The policies can be recreated to the default, as long as no EFS is used in the domain because there would be NP with the recovery agent, also do you use any certificate services ?

    Author Comment

    Neither server has the sysvol folder intact.  I started and stopped the FRS service on both machines and came up with no errors.  I have run the recreatedefpol.exe and it has replaced the folders.  Everything seems to be working ok now.  I will give it a couple of days and then close out this question.

    Thanks for the help
    LVL 13

    Expert Comment

    by:Kini pradeep
    seems like you have got things under control,


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now