GPO's and Security Policies
Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: GPO's and Security Policies

  1. #1

    Question GPO's and Security Policies

    I'm having some problems with our Group Policy Objects on our DC. I'm trying to set domain level security policies, but when I try to get into DC Security Policy I get the error "failed to open Group Policy Object". Did some googling, and an article directed me to gpotool.exe. I ran it, and here's what I got:

    C:\Program Files\Resource Kit>gpotool /verbose
    Domain: HIFS
    Validating DCs...
    HPSERV.HIFS: down (sysvol only)
    domcon.HIFS: down (sysvol only)
    bakserv2.HIFS: down (sysvol only)
    Error: DC list is empty
    All three of those are indeed DCs.

    So, I don't know much about this, beyond that sysvol being down is a really bad thing. Can you guys shed some light on this, and how I go about fixing it?

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Any hints from your event logs?

    Any services down?

  3. #3
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    try a google on domain replication. Use www.eventid.net and go through ALL event errors.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #4
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I'm not entirely sure, but didn't you post before about DNS problems? The only reason I ask is because this can be related to a DNS problem
    [i]Source: http://www.jsiinc.com/SUBM/tip6400/rh6484.htm[i]
    When you open any Active Directory snap-in or tool, you receive a message similar to:

    Failed to open the Group Policy Object.
    Details: The specified network password is not correct.

    This behavior will occur if the DNS settings on your computer are NOT properly configured:

    01. Use Control Panel to double-click Network and Dial-up Connections.

    02. Right-click Local Area Connection (or the name you have assigned to your internal network adapter) and press Properties.

    03. Select Internet Protocol (TCP/IP) and press Properties.

    04. Make sure that the IP address on the Preferred DNS server box points to the local DNS server. If this is NOT a Microsoft Windows 2000 (or greater) DNS server, it must be BIND 8.12 or later. If it is pointing to your ISP, implement DNS Forwarding. Alternately, you could point the Alternate DNS server to your ISP.

    05. Press the Advanced button.

    06. Select the DNS tab.

    07. Make sure your local DNS server is listed first in the DNS server addresses, in order of use box.

    08. Check the Append primary and connection specific DNS suffixes radial button and check the Append parent suffixes of the primary DNS suffix box.

    09. Make sure the the DNS suffix for this connection box has your Active Directory domain name, like JSIINC.COM, and check the Register this connection's addresses in DNS box.

    10. Press OK, OK, and OK.
    also if you aren't getting the password details then

    Source: http://www.winnetmag.com/WindowsSecu...992/39992.html


    Whenever I try to open a Group Policy Object (GPO) to view its security settings, I get the error Failed to open the Group Policy Object. You may not have appropriate rights. Details: The system cannot find the path specified. Why can't Windows find the GPO?

    This error usually signifies a problem with DNS. To ensure that your DNS server is functioning correctly and isn't logging errors, check the DNS event log on your DNS servers and the Directory Service (DS) log on all your domain controllers (DCs).

    If DNS is functioning correctly, the problem could be something more serious, such as a problem with your SYSVOL share or file replication on your DCs. A good way to check those and other problems with Group Policy is to use the Group Policy Verification Tool (gpotool.exe), which you can download from http://www.microsoft .com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp. At the command line, type

    gpotool /verbose
    It mentioned the gpotool that you used, but before that it mentioned checking DNS as does the other article.. have you checked your DNS over?

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    There are no errors in the DNS event log.

    Failed to open the Group Policy Object. You may not have appropriate rights. Details: The system cannot find the path specified. Why can't Windows find the GPO?
    That's the message I'm getting, word for word.

    09. Make sure the the DNS suffix for this connection box has your Active Directory domain name, like JSIINC.COM, and check the Register this connection's addresses in DNS box.
    This was the only thing not already set, so I set it to our domain properly. No change in results though.

    Road -- No event errors related to DNS were present in any of the variou event logs.

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    just for checking:
    the workstation where you are trying to admin AD is pointing to same DNS server that contains AD structure?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    Right, it sure is.

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    so, after obvious...and your station has the same dns suffitx of AD servers too...

    have you checked sysvol rights?

    can you access dc admin console from that station? and create a object (any) on AD?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    Ok, sysvol and its rights are what I'm wanting to learn about -- How do I go about looking into sysvol rights?

    And actually, this isn't from a work station, but through the DC locally. I can go into the DC's control panel and on into Domain Security Policy and that's when I get the GPO error. So it's on the DNS server itself.

  10. #10
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    bad, bad dog
    i thought you were accessing from a workstation...

    since you have more than one DC server, you got the same error on all?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •