GPO's and Security Policies

[AngelicKnight]

I'm having some problems with our Group Policy Objects on our DC. I'm trying to set domain level security policies, but when I try to get into DC Security Policy I get the error "failed to open Group Policy Object". Did some googling, and an article directed me to gpotool.exe. I ran it, and here's what I got:

Quote:

C:\Program Files\Resource Kit>gpotool /verbose
Domain: HIFS
Validating DCs...
HPSERV.HIFS: down (sysvol only)
domcon.HIFS: down (sysvol only)
bakserv2.HIFS: down (sysvol only)
Error: DC list is empty

All three of those are indeed DCs.

So, I don't know much about this, beyond that sysvol being down is a really bad thing. Can you guys shed some light on this, and how I go about fixing it?

[ss2chef]

Any hints from your event logs?

Any services down?

[RoadClosed]

try a google on domain replication. Use www.eventid.net and go through ALL event errors.

[HTRegz]

Hey Hey,

I'm not entirely sure, but didn't you post before about DNS problems? The only reason I ask is because this can be related to a DNS problem

Quote:

[i]Source: http://www.jsiinc.com/SUBM/tip6400/rh6484.htm[i]
When you open any Active Directory snap-in or tool, you receive a message similar to:

Failed to open the Group Policy Object.
Details: The specified network password is not correct.

This behavior will occur if the DNS settings on your computer are NOT properly configured:

01. Use Control Panel to double-click Network and Dial-up Connections.

02. Right-click Local Area Connection (or the name you have assigned to your internal network adapter) and press Properties.

03. Select Internet Protocol (TCP/IP) and press Properties.

04. Make sure that the IP address on the Preferred DNS server box points to the local DNS server. If this is NOT a Microsoft Windows 2000 (or greater) DNS server, it must be BIND 8.12 or later. If it is pointing to your ISP, implement DNS Forwarding. Alternately, you could point the Alternate DNS server to your ISP.

05. Press the Advanced button.

06. Select the DNS tab.

07. Make sure your local DNS server is listed first in the DNS server addresses, in order of use box.

08. Check the Append primary and connection specific DNS suffixes radial button and check the Append parent suffixes of the primary DNS suffix box.

09. Make sure the the DNS suffix for this connection box has your Active Directory domain name, like JSIINC.COM, and check the Register this connection's addresses in DNS box.

10. Press OK, OK, and OK.

also if you aren't getting the password details then

Quote:

Source: http://www.winnetmag.com/WindowsSecu...992/39992.html


Whenever I try to open a Group Policy Object (GPO) to view its security settings, I get the error Failed to open the Group Policy Object. You may not have appropriate rights. Details: The system cannot find the path specified. Why can't Windows find the GPO?

This error usually signifies a problem with DNS. To ensure that your DNS server is functioning correctly and isn't logging errors, check the DNS event log on your DNS servers and the Directory Service (DS) log on all your domain controllers (DCs).

If DNS is functioning correctly, the problem could be something more serious, such as a problem with your SYSVOL share or file replication on your DCs. A good way to check those and other problems with Group Policy is to use the Group Policy Verification Tool (gpotool.exe), which you can download from http://www.microsoft .com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp. At the command line, type

gpotool /verbose

It mentioned the gpotool that you used, but before that it mentioned checking DNS as does the other article.. have you checked your DNS over?

Peace,
HT

[AngelicKnight]

There are no errors in the DNS event log.

Quote:

Failed to open the Group Policy Object. You may not have appropriate rights. Details: The system cannot find the path specified. Why can't Windows find the GPO?

That's the message I'm getting, word for word.

Quote:

09. Make sure the the DNS suffix for this connection box has your Active Directory domain name, like JSIINC.COM, and check the Register this connection's addresses in DNS box.

This was the only thing not already set, so I set it to our domain properly. No change in results though.

Road -- No event errors related to DNS were present in any of the variou event logs.

[cacosapo]

just for checking:
the workstation where you are trying to admin AD is pointing to same DNS server that contains AD structure?

[AngelicKnight]

Right, it sure is.

[cacosapo]

so, after obvious...and your station has the same dns suffitx of AD servers too...

have you checked sysvol rights?

can you access dc admin console from that station? and create a object (any) on AD?

[AngelicKnight]

Ok, sysvol and its rights are what I'm wanting to learn about -- How do I go about looking into sysvol rights?

And actually, this isn't from a work station, but through the DC locally. I can go into the DC's control panel and on into Domain Security Policy and that's when I get the GPO error. So it's on the DNS server itself.

[cacosapo]

bad, bad dog
i thought you were accessing from a workstation...

since you have more than one DC server, you got the same error on all?