Solved

Cannot Open Default Domain or Domain Controller Security Policy

Posted on 2010-08-18
25
1,057 Views
Last Modified: 2012-05-10
When i try to open either, i get a "failed to open the Group Policy Object. You may not have appropriate rights" message. I see event id 1000 being written every few minutes stating "windows cannot access the file gpt.ini for GPO.The file must be present at the location <>. (). Group policy processing aborted." I have 2 windows 2k DC's in my environment.
0
Comment
Question by:Cobra25
  • 14
  • 9
  • 2
25 Comments
 
LVL 8

Accepted Solution

by:
SGrossmann earned 500 total points
ID: 33469138
are the policies applied to you clients / domain controllers correctly?what is with all other policies in you environment? Can you open / edit them without problems?If not you might need to restore those policies, as long as you did not change them there is not a real problem with it.http://www.microsoft.com/downloads/details.aspx?familyid=b5b685ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en
0
 
LVL 9

Expert Comment

by:Amirchoupani
ID: 33469413
Check your DNS and GC.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33471007
Well the thing is im not sure what settings are being applied, i inherited this network. Should i try running RSoP from one of the machines? I dont know about any of the policies since i cannot view anything when i try to open the domain/domain controller policies, i just get the error message as mentioed before and then a red X on the console.

Amirchoupani, DNS and GC is ok.
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33479352
if you are not able to see edit them it might not apply tto the clients at all.

try a gpresult /v on a client and a domain controller if the policies are applied.
0
 
LVL 9

Expert Comment

by:Amirchoupani
ID: 33493296
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33494501
@Amirchoupani there was no domain rename as far as I got the Cobra so this article would not help.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33512950
Thats right, i havent renamed the domain. Should i try using the GPT tool for Win2k that resets all the GPO files and settings back to default?
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33512997
If the polices aren't applied to the client you could not change anything away from the default if you reset the policies.make sure to configure the password policy in default domain policy after restore as you need it.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33513011
If the polices aren't applied to the client you could not change anything away from the default if you reset the policies.

Im not sure what you mean by this
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33513064
Oh sorry bad english :)If the policies aren't applied at the moment anything that was changed will not be applied to clients add to the domain after the policies went bad.If you recreate those policies the default policies as after the installation of the domain will be applied to the clients and domain controllers.If I remember right I never had to change anything beside the password policies in those default policies. Event I can not remember to change some of these settings with other policies somewhere within the Domain,If you've restored those policies check if all works as expected, and if any of the settings might be a problem for some special application within you environment, for Microsoft applications the default settings won't harm at all.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33513094
So are you saying that after i reset everything, any existing policies that i have running will not work any longer?
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33526666
i tried RSoP on one of the machines- i get a "rsop data is invalid" message, and in the details at the bottom it says, "Invalid Namespace"
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 4

Author Comment

by:Cobra25
ID: 33526846
i checked the debug/userenv.log, and this is the message i get:

USERENV(e8.350) 17:45:20:163 ProcessGPO:  Couldn't find the group policy template file <\\xxx.com\sysvol\xxxx..com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>, error = 0x3.
USERENV(e8.350) 17:45:20:178 ReportEvent failed.  Error = 1502
USERENV(e8.350) 17:45:20:178 EvalList:  ProcessGPO failed
USERENV(e8.350) 17:45:20:178 GetGPOInfo:  EvaluateDeferredGPOs failed. Exiting
USERENV(e8.350) 17:45:20:178 ProcessGPOs: GetGPOInfo failed.
USERENV(e8.350) 17:45:20:178 ReportEvent failed.  Error = 1502

Not sure what to do now
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33528905
Regarding you first question:
All other policies are untouched, only the two Default Policies will reset to default.
You need to change the Password Policy if you don't want the default settings within Default Domain Policy.

{31B2F340... is your Default Domain Policy as I see there might be more problems regarding gpo processing if those policies are broken.
As long as they can not be read you can reset them without any problems to defaults.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33537362
I dont have any GPOs currently, i believe the password settings were set in the default domain policy, which i have no problem resetting from default.

I think at this point i think its best to go ahead and reset them back to default, i'm just worried about any repercussions from doing so
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33537621
Okay, i found the password policy GPO, and im able to edit it. The weird part is that if i check the properties on the GPO, the Unique name doesnt match any of the GUIDs in the Sysvol\domainname\policies folder
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33537741
ok, sounds strange, if you have policy it must be within the sysvol folder atleast on the PDC emulator and if it is not on the second DC you have additionaly an replication issue.

the password policy needs to be linked on the domain root to be used.

but if you say don't have any GPOs at the moment I don't understand how there might be one except the default domain policy.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33537746
If i go to ADSIedi, under the policies container, i do see the GUIDs match up here however. How is the password policy GPO being applied when the folder for it is missing in my sysvol/domainname/policies folder??
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33537783
it should ne be apply at all if the policy fieles are missing.
Are there more then the two not working default policies? if yes do they all miss within sysvol?
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33538250
The defaults dont work.

I was skimming through the OU's in AD, i found the majority of them had a GPO assigned to them, however, if i clicked Edit on any of them, they would not open.
I did find one called a password policy GPO on one of the OU's, and i was able to open it and edit it, this is the only one i can open. As i mentioned i cannot open the default domain or default domain controller ones. So i checked its Unique ID, and found that it didnt match was in the Sysvol folder, which is so strange, how is this getting applied then?
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33538833
I found it! Turns out it was running at the Domain level. The GUID matches up.
Now i think the bottom line is to either recreate the 2 default policies, or just do a restore using the MS tool. What do you guys recommend?
0
 
LVL 8

Expert Comment

by:SGrossmann
ID: 33539411
If you have a working backup of you GPOs try to restore them.

If this does not work you should restore the default policies and try to recreate the default policies with the restore tool and afterward you need to check what happened to you other GPOs. If none of you GPOs is working I think you might have more problems then the two default policies and you need to check what happened to you sysvol folder.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 33543697
Dont have a backup of any of the GPOs.

I dont really care about any of the existing GPOs, they all dont work except for one of them.

0
 
LVL 4

Author Comment

by:Cobra25
ID: 33546465
I used the MS tool and it recreated everything perfectly.
Thanks for the efforts
0
 
LVL 4

Author Closing Comment

by:Cobra25
ID: 33546470
tool worked great
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now