Default Domain GP Locked

  • Thread starter Thread starter Thomas Dietrich
  • Start date Start date
T

Thomas Dietrich

Hello,
I used a WinXP machine to edit our Default Domain Policy
Group Policy, and now I can no longer access the Group
Policy. When I try to open AD Users & Computers, Right
click on the Domain name, go to Properties, select the
Group Policy tab, and hit Edit I get the following error
message:
"Failed to open the Group Policy Object. You may not have
appropriate rights. Details: Unspecified error."

I double checked the security settings, all are good. I
cannot access even while logged in to the Domain
Controller as Administrator (member of the Enterprise
Admins group). I was told this is a result of editing
with my XP machine, but don't necessarily believe that.

I've already used KB Article 294257, but that didn't
fix the error.

I can edit the GPO's on all child containers and OU's
under this domain.

I downloaded and installed the Group Policy Management
Console snapin and when I view the GPO I get this message
under the Administrative Templates section:
The following errors were encountered:
The
file "\\CELESTA.frameless.pcd\sysvol\frameless.pcd\Policie
s\{31B2F340-016D-11D2-945F-00C04FB984F9}
\Machine\registry.pol" is not in a valid format. The file
might be corrupt. Use Group Policy Object Editor to
reconfigure the settings in this extension.

I was told by a consultant that I have to perform an
Authoritative Restore of the System State Data on the
Domain Controller, but would rather avoid that if
possible. Does anybody have any other ideas or
suggestions?

Thanks!
 
I would first make sure that you are able to still edit the policy via the
Windows XP machine. There should be no problem with editing a policy from a
Windows XP machine. This will update the adm files to the Windows XP
version. If you are receiving errors there, it is possible there is a
corrupt registry.pol file. You could try using the regview tool to output
the file and manually view the info.
http://support.microsoft.com/support/kb/articles/q178/6/65.asp

If you are able to edit it via Windows XP then I would begin by checking to
see if you have "disable automatic update of adm files" set.
 
Unfortunately I cannot edit the GPO from the XP machine
either. It cannot be edited from any machine on the
domain as far as I can tell.

I believe you are onto something with the corrupt
registry.pol file, though, because that's the error I get
when I use the GPEdit tool.

I downloaded the Regview.exe and when I launched it
unzipped into a bunch of source code files. I am not a
programmer, so I don't know how to recompile the source
code into an executable or to produce the dll that's
needed.

Where can I disable the automatic update of the adm files?

I hope we can resolve this without performing an
authoritative restore of the system state data, as I've
been told...

Thanks,
Tom
-----Original Message-----
I would first make sure that you are able to still edit the policy via the
Windows XP machine. There should be no problem with editing a policy from a
Windows XP machine. This will update the adm files to the Windows XP
version. If you are receiving errors there, it is possible there is a
corrupt registry.pol file. You could try using the regview tool to output
the file and manually view the info.
http://support.microsoft.com/support/kb/articles/q178/6/6 5.asp

If you are able to edit it via Windows XP then I would begin by checking to
see if you have "disable automatic update of adm files" set.

--
James Brandt [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights

Hello,
I used a WinXP machine to edit our Default Domain Policy
Group Policy, and now I can no longer access the Group
Policy. When I try to open AD Users & Computers, Right
click on the Domain name, go to Properties, select the
Group Policy tab, and hit Edit I get the following error
message:
"Failed to open the Group Policy Object. You may not have
appropriate rights. Details: Unspecified error."

I double checked the security settings, all are good. I
cannot access even while logged in to the Domain
Controller as Administrator (member of the Enterprise
Admins group). I was told this is a result of editing
with my XP machine, but don't necessarily believe that.

I've already used KB Article 294257, but that didn't
fix the error.

I can edit the GPO's on all child containers and OU's
under this domain.

I downloaded and installed the Group Policy Management
Console snapin and when I view the GPO I get this message
under the Administrative Templates section:
The following errors were encountered:
The
file "\\CELESTA.frameless.pcd\sysvol\frameless.pcd\Policie
s\{31B2F340-016D-11D2-945F-00C04FB984F9}
\Machine\registry.pol" is not in a valid format. The file
might be corrupt. Use Group Policy Object Editor to
reconfigure the settings in this extension.

I was told by a consultant that I have to perform an
Authoritative Restore of the System State Data on the
Domain Controller, but would rather avoid that if
possible. Does anybody have any other ideas or
suggestions?

Thanks!


.
 
Back
Top