Windows cannot open template file

I am trying to apply auditing to the default domain controllers GPO on my Windows 2000 server machine.
When I expand Computer Configuration, Windows Settings, Security Templates I get an error saying:
"Windows cannot open template file"

I then go on to expand Security Settings, Local Policy, Audit Policy and if I make a change to a setting, for example 'Audit Account Logon Events' I get the following error message twice after clicking ok:

Failed to Save Fail to Save
l\SysVol\mydomain.local\Policies\{6E4B5C53-F6FC-4D1B-BFA3-39F91C58290B}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

It then appears that the changes have been made, but if I exit the Group Policy Editor, and go in again to edit the policy, when I expand Computer Configuration, Windows Settings, Security Settings only the 'Public Key Policies' and 'IP Security Policies on Active Directory' folders are present.  i.e. 'Account Policies' and 'Local Policies' etc are all missing.
gazasc78Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

aissimCommented:
It sounds like the default domain controllers gpo may be corrupt.

Microsoft does provide a tool that will restore BOTH the default domain & domain controller GPO:
http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Downside is that any/all settings will have to be reconfigured so it can be a hassle. If you're not using the default domain GPO that would make it a little less painful.

<<** LINK REPORTED BROKEN 2018-05-22  SF **>>
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gazasc78Author Commented:
I ran the RecreateDefPol utility however however symptoms are still the same as before.
I have also noticed that the shortcut to 'Domain Controller Security Policy' under administrative tools is invalid and does not work.  Not sure if this is relevant?

A point I forgot to mention previously is that I have a second domain controller configured on the network which also has the same symptoms.

If I were to demote one domain controller at a time and then use DCPROMO to reinstall AD do you think this would correct my problem?
0
aissimCommented:
check this article and see if it helps:
http://support.microsoft.com/kb/936483
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

ChiefITCommented:
Is DCOM service disabled?
0
gazasc78Author Commented:
I've checked the Gptmpl.inf under the following path ....{6AC1786C-016F-11D2-945F-00C04fB984F9}\Computer\Microsoft\Windows NT\SecEdit as recommended in MS KB Article 936483 and SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0 which seem correct.
 
However the error message I'm receiving is indicating the following path C:\WINNT\sysvol\sysvol\mydomain.local\Policies\{6E4B5C53-F6FC-4D1B-BFA3-39F91C58290B}\Machine\Microsoft\Windows NT\SecEdit

Is this the correct path?  I checked the Gpttmpl.inf file there and it only has the following entries:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1

I've checked what services are running and I do not see an entry for DCOM, however the COM+ Event System is running.

0
ChiefITCommented:
Is this similar to the error you have seen in event viewer:

""Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=quadra,DC=local. The file must be present at the location <\\quadra.local\sysvol\quadra.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted. ""

As I understand it, according to the below article:

It will tell you more about setting permissions on the GPttmpl.inf file. This is the template's information file. Without the correct permissions, GPT.INI wouldn't have access to the Group policy template. Without the correct permissions on the group policy template, I can see an access denied GPT.INI doesn't have the correct permissions error you may be receiving.

As described in the article, GPT.INI is a file that controls the Group policy version number. You varified the GP template file exists.  But does the template have the correct permissions to be accessed by the server.

The two files, (GPT.INI and GPtmpl), work with DCOM to provide Group policy.

http://support.microsoft.com/kb/324800
0
gazasc78Author Commented:
The only errors I have in my Application Log are:

Source: SclgNtfy
Default group policy object cannot be created. Error 80070020 to save GPO Domain EFS Recovery Policy.

Source: SceSrv
Policy change from LSA/SAM can't be saved in the policy storage. Error 5 to save policy change for account S-1-5-21-1645522239-362288127-839522115-1680 in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.
0
ChiefITCommented:
Wow:
I haven't seen these before. But, since I am here, I'll do my best to help.

Error 1) This looks like a permissions or file sharing problem. Maybe you have bit defender preventing you from sharing Group policy templates. It's just a guess. I could see real time protection could cause a problem:
http://forums.microsoft.com/technet/showpost.aspx?pageindex=1&siteid=17&postid=1187796&sb=0&d=1&at=7&ft=11&tf=0&pageid=1

Error 2) this is a SID:  S-1-5-21-1645522239-362288127-839522115-1680. The error says It can't save the policy in the default GPOs. Is it possible you have some sort of metadata from a server that doesn't exist?
I could also see real time protection preventing you from saving templates on the server.

You can get a little utility called SIDtoName and find out what computer this SID belongs to, wether it be a backup server or a server removed. If it is a removed server, you might have to do a metadata cleanup on the servers to rid yourself of these orphaned or tombstoned AD objects.

http://www.eventid.net/display.asp?eventid=1003&eventno=1479&source=scesrv&phase=1

This is still a difficult one. So, take my advice for what it is, (reaching).
0
gazasc78Author Commented:
Thanks guys for all your help on this.
0
gazasc78Author Commented:
Thanks guys for all your help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.