[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 520
  • Last Modified:

Unable to edit GPO

On a  32 bit SBS 2003 server running as a domain controller I get the following error when attempting to edit the domain policy gpo; "Failed to open the group policy object, you may not have sufficient rights."  Under details I get, "The data is invalid."  This is happening for at least two users, one the built in administrator account and another admin account, both members of the Enterprise admin group.  Event viewer shows massive numbers of 1085 and 1096 errors, both at the corresponding times and not.  The 1085 errors are in relation to Internet Explorer Zonemapping, the 1096 Reads "Windows cannot access the registry policy file." and points to the machine\registry.pol file as containing invalid data.  At this point the GPO cannot be edited from anywhere.
0
wcoil
Asked:
wcoil
  • 5
  • 3
  • 2
1 Solution
 
Darius GhassemCommented:
Run dcdiag post results please
0
 
JAN PAKULACommented:
Check that - quite common

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_25179558.html

This error indicates that there is a missing file in a Group Policy Object (GPO). GPOs reside on the domain controller's Sysvol share, and a local GPO also resides on the local computer's system drive. The event indicates that the Administrative Templates client side extension was trying to access the registry.pol file. This file might be corrupt. The Event log indicates the location of the corrupted registry.pol file. This error can also occur if the registry configuration is incorrect. Group Policy stores registry-based policy settings in the registry. If these registry keys have access control lists (ACLs) that prevent the system from writing to those values, this failure can occur.

Kindly refer these articles:

http://support.microsoft.com/kb/903252

http://support.microsoft.com/kb/930597

http://support.microsoft.com/kb/951059


JAN MA CCNA
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
wcoilAuthor Commented:
I will try that.
0
 
wcoilAuthor Commented:
Ultimately what I've done is to give up on trying to fix this gpo.  I am unable to edit the old gpo, but I can create a report of what it consists of.  Given this, I am using the report to re-create the gpo under a different name but with identical attributes.  I will then apply the gpo to the same users and machines as the original.  Sounds good in theory.
0
 
JAN PAKULACommented:
probably easiest solution (you might not be able to see all Gp policy atributes if it is damaged)
To be sure unlink it + delete it, but dont delete it from gp policy objects container, until you 100% sure that everything works.
0
 
wcoilAuthor Commented:
One interesting aspect of the report is a line under Extra Registry Settings which states, "Display names for some settings cannot be found.  You might be able to resolve this issue by updating the .ADM files used by Group Policy Management."  I assume this has something to do with the original issue, though I don't know what.  If I do update the .ADM files by downloading from MS website is that likely to revert everything to default, or just correct the particular GPO I'm having issue with?
0
 
Darius GhassemCommented:
Could just correct the problem but I still doubt the problem will be fixed but you can try
0
 
wcoilAuthor Commented:
The GPO is in place and seems to be working well. At this point I'm going to go ahead and close this thread out.
0
 
wcoilAuthor Commented:
Ultimately I came up with the solution myself, but this was helpful.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now