Solved

Unable to edit existing GPOs, but can create and edit new GPOs

Posted on 2013-06-04
10
377 Views
Last Modified: 2013-06-06
Windows 2012 Server AD DS  2 Servers
Replicating DFSR   using /SYSVOL_DFSR
I followed the Sept 2009 Migration SYSVOL to DFS Replication. It has been working well and passes all diags.
I needed to update a pointer for 300 clients so I figured out how to use preferences for registry settings by editing the direct policy for one client (same as the field) as a test I keep in my cubicle. After verifying the settings I then tried to using Group Policy Update from the GPMC, but it didn't work. I then removed all of the registry preferences. It was soon after that I was not able to edit the main policy that oversees all of the clients. I have looked around using Google and tried to follow ADSIEdit, but I couldn't locate the internal references the web page stated. I have run every separate test on dcdiag and all pass.
Based on what I read from the web I then  tried nltest:
nltest /dclist:<domain> states the FSMO is the PDC, but nltest /dcname:<domain> fails.
Also my environment requires external DNS using one way outbound trust (non transitive)
What other info do you need?
0
Comment
Question by:hatcherb1234
  • 5
  • 5
10 Comments
 
LVL 25

Expert Comment

by:Lionel MM
ID: 39221805
"I was not able to edit the main policy that oversees all of the clients"
What happens when you try to edit? Have you verified permissions on the folder.
C:\Windows\SYSVOL\sysvol\YourDomainName\Policies

Also this article may help you to know where and how your policies are stored (3 parts)
http://www.windowsnetworking.com/articles-tutorials/common/Group-Policy-Settings-Part1.html
0
 
LVL 1

Author Comment

by:hatcherb1234
ID: 39222470
Thanks for responding. I think you narrowed it down rather quickly. I have no SYSVOL folder under C:\Windows.

The error that pops when trying to edit states: "Failed to open the Group Policy Object. You might not have the appropiate rights."

Details:"The system cannot find the path specified"
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 39223168
Found this that may help you unless you have backups of your group policy--this answer was given to a similar question about missing sysvol and netlogon folders here on EE.
http://serverfault.com/questions/355357/new-win2008r2-dc-missing-sysvol-and-netlogon-folders
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:hatcherb1234
ID: 39223336
As I stated in the initial question I am running DFSR not ntfrs. I think all my sysvol and netlogon are on my Drive G. See  below:

C:\Windows\system32>net share

Share name   Resource                        Remark

----------------------------------------------------------------
ADMIN$       C:\Windows                      Remote Admin
C$           C:\                             Default share
E$           E:\                             Default share
F$           F:\                             Default share
G$           G:\                             Default share
K$           K:\                             Default share
H$           H:\                             Default share
IPC$                                         Remote IPC
S$           S:\                             Default share
J$           J:\                             Default share
H            H:\
J            J:\
K            K:\
NETLOGON     G:\SYSVOL_DFSR\sysvol\MPIW.ENG.USPS.GOV\SCRIPTS
                                             Logon server share
SYSVOL       G:\SYSVOL_DFSR\sysvol           Logon server share
The command completed successfully.

This is normal for DFSR. I was able to edit after this. It was after I worked on a single client's policy that I lost the ability to edit from the common policy for all clients.
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 39223896
Did you check the permissions on those folders?
0
 
LVL 1

Author Comment

by:hatcherb1234
ID: 39223933
I don't remember. I think so. Please see the attachment. I'm not sure what the permissions shouild be for this.
permissions.jpg
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 39224145
How many sub folders do you have under SYSVOL share and what are the permissions on those? The user you are editing with is a member of which groups?
0
 
LVL 1

Author Comment

by:hatcherb1234
ID: 39225233
Please see attachments for both questions. In the meanwhile I made a brand new policy in parallel to the un-editable, but readable one and switched over to the new one and I am back in business. I'd still like to know what happened.
sysvol-folders.jpg
admin-member-of-groups.jpg
0
 
LVL 25

Accepted Solution

by:
Lionel MM earned 500 total points
ID: 39225311
Well glad to know that you are back in business--as to what happened it could have been so many things but the most likely was the migration process. It is not uncommon for this to happen and has been happening in most versions of windows server. As to specifically why I could not be sure to pinpoint one or two specific reasons--sorry.
0
 
LVL 1

Author Closing Comment

by:hatcherb1234
ID: 39225318
Well we didn't find the reason, but you taught me a few things I should have checked in the first place. Enjoy your points.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 8.1 Enterprise Pauses Frequently 27 86
Windows Server 2012  Backup - HyperV host 18 64
aes256 Ransomware on SBS 2011 13 37
Group Policy - Windows ADMX Central Store 2 23
This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question