Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1065
  • Last Modified:

Cannot Open Default Domain or Domain Controller Security Policy

When i try to open either, i get a "failed to open the Group Policy Object. You may not have appropriate rights" message. I see event id 1000 being written every few minutes stating "windows cannot access the file gpt.ini for GPO.The file must be present at the location <>. (). Group policy processing aborted." I have 2 windows 2k DC's in my environment.
0
Cobra25
Asked:
Cobra25
  • 14
  • 9
  • 2
1 Solution
 
SGrossmannCommented:
are the policies applied to you clients / domain controllers correctly?what is with all other policies in you environment? Can you open / edit them without problems?If not you might need to restore those policies, as long as you did not change them there is not a real problem with it.http://www.microsoft.com/downloads/details.aspx?familyid=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en
0
 
AmirchoupaniCommented:
Check your DNS and GC.
0
 
Cobra25Author Commented:
Well the thing is im not sure what settings are being applied, i inherited this network. Should i try running RSoP from one of the machines? I dont know about any of the policies since i cannot view anything when i try to open the domain/domain controller policies, i just get the error message as mentioed before and then a red X on the console.

Amirchoupani, DNS and GC is ok.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
SGrossmannCommented:
if you are not able to see edit them it might not apply tto the clients at all.

try a gpresult /v on a client and a domain controller if the policies are applied.
0
 
SGrossmannCommented:
@Amirchoupani there was no domain rename as far as I got the Cobra so this article would not help.
0
 
Cobra25Author Commented:
Thats right, i havent renamed the domain. Should i try using the GPT tool for Win2k that resets all the GPO files and settings back to default?
0
 
SGrossmannCommented:
If the polices aren't applied to the client you could not change anything away from the default if you reset the policies.make sure to configure the password policy in default domain policy after restore as you need it.
0
 
Cobra25Author Commented:
If the polices aren't applied to the client you could not change anything away from the default if you reset the policies.

Im not sure what you mean by this
0
 
SGrossmannCommented:
Oh sorry bad english :)If the policies aren't applied at the moment anything that was changed will not be applied to clients add to the domain after the policies went bad.If you recreate those policies the default policies as after the installation of the domain will be applied to the clients and domain controllers.If I remember right I never had to change anything beside the password policies in those default policies. Event I can not remember to change some of these settings with other policies somewhere within the Domain,If you've restored those policies check if all works as expected, and if any of the settings might be a problem for some special application within you environment, for Microsoft applications the default settings won't harm at all.
0
 
Cobra25Author Commented:
So are you saying that after i reset everything, any existing policies that i have running will not work any longer?
0
 
Cobra25Author Commented:
i tried RSoP on one of the machines- i get a "rsop data is invalid" message, and in the details at the bottom it says, "Invalid Namespace"
0
 
Cobra25Author Commented:
i checked the debug/userenv.log, and this is the message i get:

USERENV(e8.350) 17:45:20:163 ProcessGPO:  Couldn't find the group policy template file <\\xxx.com\sysvol\xxxx..com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>, error = 0x3.
USERENV(e8.350) 17:45:20:178 ReportEvent failed.  Error = 1502
USERENV(e8.350) 17:45:20:178 EvalList:  ProcessGPO failed
USERENV(e8.350) 17:45:20:178 GetGPOInfo:  EvaluateDeferredGPOs failed. Exiting
USERENV(e8.350) 17:45:20:178 ProcessGPOs: GetGPOInfo failed.
USERENV(e8.350) 17:45:20:178 ReportEvent failed.  Error = 1502

Not sure what to do now
0
 
SGrossmannCommented:
Regarding you first question:
All other policies are untouched, only the two Default Policies will reset to default.
You need to change the Password Policy if you don't want the default settings within Default Domain Policy.

{31B2F340... is your Default Domain Policy as I see there might be more problems regarding gpo processing if those policies are broken.
As long as they can not be read you can reset them without any problems to defaults.
0
 
Cobra25Author Commented:
I dont have any GPOs currently, i believe the password settings were set in the default domain policy, which i have no problem resetting from default.

I think at this point i think its best to go ahead and reset them back to default, i'm just worried about any repercussions from doing so
0
 
Cobra25Author Commented:
Okay, i found the password policy GPO, and im able to edit it. The weird part is that if i check the properties on the GPO, the Unique name doesnt match any of the GUIDs in the Sysvol\domainname\policies folder
0
 
SGrossmannCommented:
ok, sounds strange, if you have policy it must be within the sysvol folder atleast on the PDC emulator and if it is not on the second DC you have additionaly an replication issue.

the password policy needs to be linked on the domain root to be used.

but if you say don't have any GPOs at the moment I don't understand how there might be one except the default domain policy.
0
 
Cobra25Author Commented:
If i go to ADSIedi, under the policies container, i do see the GUIDs match up here however. How is the password policy GPO being applied when the folder for it is missing in my sysvol/domainname/policies folder??
0
 
SGrossmannCommented:
it should ne be apply at all if the policy fieles are missing.
Are there more then the two not working default policies? if yes do they all miss within sysvol?
0
 
Cobra25Author Commented:
The defaults dont work.

I was skimming through the OU's in AD, i found the majority of them had a GPO assigned to them, however, if i clicked Edit on any of them, they would not open.
I did find one called a password policy GPO on one of the OU's, and i was able to open it and edit it, this is the only one i can open. As i mentioned i cannot open the default domain or default domain controller ones. So i checked its Unique ID, and found that it didnt match was in the Sysvol folder, which is so strange, how is this getting applied then?
0
 
Cobra25Author Commented:
I found it! Turns out it was running at the Domain level. The GUID matches up.
Now i think the bottom line is to either recreate the 2 default policies, or just do a restore using the MS tool. What do you guys recommend?
0
 
SGrossmannCommented:
If you have a working backup of you GPOs try to restore them.

If this does not work you should restore the default policies and try to recreate the default policies with the restore tool and afterward you need to check what happened to you other GPOs. If none of you GPOs is working I think you might have more problems then the two default policies and you need to check what happened to you sysvol folder.
0
 
Cobra25Author Commented:
Dont have a backup of any of the GPOs.

I dont really care about any of the existing GPOs, they all dont work except for one of them.

0
 
Cobra25Author Commented:
I used the MS tool and it recreated everything perfectly.
Thanks for the efforts
0
 
Cobra25Author Commented:
tool worked great
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 14
  • 9
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now