• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3433
  • Last Modified:

Windows cannot open template file

I am trying to apply auditing to the default domain controllers GPO on my Windows 2000 server machine.
When I expand Computer Configuration, Windows Settings, Security Templates I get an error saying:
"Windows cannot open template file"

I then go on to expand Security Settings, Local Policy, Audit Policy and if I make a change to a setting, for example 'Audit Account Logon Events' I get the following error message twice after clicking ok:

Failed to Save Fail to Save
l\SysVol\mydomain.local\Policies\{6E4B5C53-F6FC-4D1B-BFA3-39F91C58290B}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

It then appears that the changes have been made, but if I exit the Group Policy Editor, and go in again to edit the policy, when I expand Computer Configuration, Windows Settings, Security Settings only the 'Public Key Policies' and 'IP Security Policies on Active Directory' folders are present.  i.e. 'Account Policies' and 'Local Policies' etc are all missing.
0
gazasc78
Asked:
gazasc78
  • 5
  • 3
  • 2
5 Solutions
 
aissimCommented:
It sounds like the default domain controllers gpo may be corrupt.

Microsoft does provide a tool that will restore BOTH the default domain & domain controller GPO:
http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Downside is that any/all settings will have to be reconfigured so it can be a hassle. If you're not using the default domain GPO that would make it a little less painful.
0
 
gazasc78Author Commented:
I ran the RecreateDefPol utility however however symptoms are still the same as before.
I have also noticed that the shortcut to 'Domain Controller Security Policy' under administrative tools is invalid and does not work.  Not sure if this is relevant?

A point I forgot to mention previously is that I have a second domain controller configured on the network which also has the same symptoms.

If I were to demote one domain controller at a time and then use DCPROMO to reinstall AD do you think this would correct my problem?
0
 
aissimCommented:
check this article and see if it helps:
http://support.microsoft.com/kb/936483
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
ChiefITCommented:
Is DCOM service disabled?
0
 
gazasc78Author Commented:
I've checked the Gptmpl.inf under the following path ....{6AC1786C-016F-11D2-945F-00C04fB984F9}\Computer\Microsoft\Windows NT\SecEdit as recommended in MS KB Article 936483 and SeNetworkLogonRight = *S-1-5-11,*S-1-5-32-544,*S-1-1-0 which seem correct.
 
However the error message I'm receiving is indicating the following path C:\WINNT\sysvol\sysvol\mydomain.local\Policies\{6E4B5C53-F6FC-4D1B-BFA3-39F91C58290B}\Machine\Microsoft\Windows NT\SecEdit

Is this the correct path?  I checked the Gpttmpl.inf file there and it only has the following entries:

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1

I've checked what services are running and I do not see an entry for DCOM, however the COM+ Event System is running.

0
 
ChiefITCommented:
Is this similar to the error you have seen in event viewer:

""Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=quadra,DC=local. The file must be present at the location <\\quadra.local\sysvol\quadra.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Access is denied. ). Group Policy processing aborted. ""

As I understand it, according to the below article:

It will tell you more about setting permissions on the GPttmpl.inf file. This is the template's information file. Without the correct permissions, GPT.INI wouldn't have access to the Group policy template. Without the correct permissions on the group policy template, I can see an access denied GPT.INI doesn't have the correct permissions error you may be receiving.

As described in the article, GPT.INI is a file that controls the Group policy version number. You varified the GP template file exists.  But does the template have the correct permissions to be accessed by the server.

The two files, (GPT.INI and GPtmpl), work with DCOM to provide Group policy.

http://support.microsoft.com/kb/324800
0
 
gazasc78Author Commented:
The only errors I have in my Application Log are:

Source: SclgNtfy
Default group policy object cannot be created. Error 80070020 to save GPO Domain EFS Recovery Policy.

Source: SceSrv
Policy change from LSA/SAM can't be saved in the policy storage. Error 5 to save policy change for account S-1-5-21-1645522239-362288127-839522115-1680 in the default GPOs. For more debugging information, please look security\logs\scepol.log under Windows root.
0
 
ChiefITCommented:
Wow:
I haven't seen these before. But, since I am here, I'll do my best to help.

Error 1) This looks like a permissions or file sharing problem. Maybe you have bit defender preventing you from sharing Group policy templates. It's just a guess. I could see real time protection could cause a problem:
http://forums.microsoft.com/technet/showpost.aspx?pageindex=1&siteid=17&postid=1187796&sb=0&d=1&at=7&ft=11&tf=0&pageid=1

Error 2) this is a SID:  S-1-5-21-1645522239-362288127-839522115-1680. The error says It can't save the policy in the default GPOs. Is it possible you have some sort of metadata from a server that doesn't exist?
I could also see real time protection preventing you from saving templates on the server.

You can get a little utility called SIDtoName and find out what computer this SID belongs to, wether it be a backup server or a server removed. If it is a removed server, you might have to do a metadata cleanup on the servers to rid yourself of these orphaned or tombstoned AD objects.

http://www.eventid.net/display.asp?eventid=1003&eventno=1479&source=scesrv&phase=1

This is still a difficult one. So, take my advice for what it is, (reaching).
0
 
gazasc78Author Commented:
Thanks guys for all your help on this.
0
 
gazasc78Author Commented:
Thanks guys for all your help
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now