Robert Hatcher
asked on
Unable to edit existing GPOs, but can create and edit new GPOs
Windows 2012 Server AD DS 2 Servers
Replicating DFSR using /SYSVOL_DFSR
I followed the Sept 2009 Migration SYSVOL to DFS Replication. It has been working well and passes all diags.
I needed to update a pointer for 300 clients so I figured out how to use preferences for registry settings by editing the direct policy for one client (same as the field) as a test I keep in my cubicle. After verifying the settings I then tried to using Group Policy Update from the GPMC, but it didn't work. I then removed all of the registry preferences. It was soon after that I was not able to edit the main policy that oversees all of the clients. I have looked around using Google and tried to follow ADSIEdit, but I couldn't locate the internal references the web page stated. I have run every separate test on dcdiag and all pass.
Based on what I read from the web I then tried nltest:
nltest /dclist:<domain> states the FSMO is the PDC, but nltest /dcname:<domain> fails.
Also my environment requires external DNS using one way outbound trust (non transitive)
What other info do you need?
Replicating DFSR using /SYSVOL_DFSR
I followed the Sept 2009 Migration SYSVOL to DFS Replication. It has been working well and passes all diags.
I needed to update a pointer for 300 clients so I figured out how to use preferences for registry settings by editing the direct policy for one client (same as the field) as a test I keep in my cubicle. After verifying the settings I then tried to using Group Policy Update from the GPMC, but it didn't work. I then removed all of the registry preferences. It was soon after that I was not able to edit the main policy that oversees all of the clients. I have looked around using Google and tried to follow ADSIEdit, but I couldn't locate the internal references the web page stated. I have run every separate test on dcdiag and all pass.
Based on what I read from the web I then tried nltest:
nltest /dclist:<domain> states the FSMO is the PDC, but nltest /dcname:<domain> fails.
Also my environment requires external DNS using one way outbound trust (non transitive)
What other info do you need?
ASKER
Thanks for responding. I think you narrowed it down rather quickly. I have no SYSVOL folder under C:\Windows.
The error that pops when trying to edit states: "Failed to open the Group Policy Object. You might not have the appropiate rights."
Details:"The system cannot find the path specified"
The error that pops when trying to edit states: "Failed to open the Group Policy Object. You might not have the appropiate rights."
Details:"The system cannot find the path specified"
Found this that may help you unless you have backups of your group policy--this answer was given to a similar question about missing sysvol and netlogon folders here on EE.
http://serverfault.com/questions/355357/new-win2008r2-dc-missing-sysvol-and-netlogon-folders
http://serverfault.com/questions/355357/new-win2008r2-dc-missing-sysvol-and-netlogon-folders
ASKER
As I stated in the initial question I am running DFSR not ntfrs. I think all my sysvol and netlogon are on my Drive G. See below:
C:\Windows\system32>net share
Share name Resource Remark
-------------------------- ---------- ---------- ---------- --------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
E$ E:\ Default share
F$ F:\ Default share
G$ G:\ Default share
K$ K:\ Default share
H$ H:\ Default share
IPC$ Remote IPC
S$ S:\ Default share
J$ J:\ Default share
H H:\
J J:\
K K:\
NETLOGON G:\SYSVOL_DFSR\sysvol\MPIW .ENG.USPS. GOV\SCRIPT S
Logon server share
SYSVOL G:\SYSVOL_DFSR\sysvol Logon server share
The command completed successfully.
This is normal for DFSR. I was able to edit after this. It was after I worked on a single client's policy that I lost the ability to edit from the common policy for all clients.
C:\Windows\system32>net share
Share name Resource Remark
--------------------------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
E$ E:\ Default share
F$ F:\ Default share
G$ G:\ Default share
K$ K:\ Default share
H$ H:\ Default share
IPC$ Remote IPC
S$ S:\ Default share
J$ J:\ Default share
H H:\
J J:\
K K:\
NETLOGON G:\SYSVOL_DFSR\sysvol\MPIW
Logon server share
SYSVOL G:\SYSVOL_DFSR\sysvol Logon server share
The command completed successfully.
This is normal for DFSR. I was able to edit after this. It was after I worked on a single client's policy that I lost the ability to edit from the common policy for all clients.
Did you check the permissions on those folders?
ASKER
I don't remember. I think so. Please see the attachment. I'm not sure what the permissions shouild be for this.
permissions.jpg
permissions.jpg
How many sub folders do you have under SYSVOL share and what are the permissions on those? The user you are editing with is a member of which groups?
ASKER
Please see attachments for both questions. In the meanwhile I made a brand new policy in parallel to the un-editable, but readable one and switched over to the new one and I am back in business. I'd still like to know what happened.
sysvol-folders.jpg
admin-member-of-groups.jpg
sysvol-folders.jpg
admin-member-of-groups.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well we didn't find the reason, but you taught me a few things I should have checked in the first place. Enjoy your points.
What happens when you try to edit? Have you verified permissions on the folder.
C:\Windows\SYSVOL\sysvol\Y
Also this article may help you to know where and how your policies are stored (3 parts)
http://www.windowsnetworking.com/articles-tutorials/common/Group-Policy-Settings-Part1.html