Edit disabled for Default Domain Policy in SBS 2011
-
Tuesday, August 30, 2011 12:09 PM
Hello, I'm facing an issue with Windows Small Business Server 2011. Using Windows Server 2003 we hadn't this problem.
As you can see in the screenshot, the "Edit" option for Default Domain Policy item is disabled. This occurs with any other Group policy object.
Why? How can I enable it? Or is there a different way to modify a policy?
Note that I'm logged in as an administrator.
Many thanks!
All Replies
-
Tuesday, August 30, 2011 12:12 PM
Hi,
Please check the delegation tab.
Also paste the output of whoami /All
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Tuesday, August 30, 2011 12:26 PM
Delegation tab is the following:
whoami says:
C:\Users\dhg01>whoami /All USER INFORMATION ---------------- User Name SID ========= ============================================= dhg\dhg01 S-1-5-21-2040216328-671452908-3875821298-1187 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ==================== ========================= ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group DHG\DhgGroup Group S-1-5-21-2040216328- 671452908-3875821298-1166 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ==================================== ======== SeShutdownPrivilege Shut down the system Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Disabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled SeTimeZonePrivilege Change the time zone Disabled -
Tuesday, August 30, 2011 12:47 PM
Hi,
Could you please go to advance tab and share the exact permisson of domain admin and enterprise admin with us.
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Edited by Tanmoy Manik Tuesday, August 30, 2011 1:16 PM
-
Tuesday, August 30, 2011 12:57 PM
Here you have for Domain Admins (for Enterprise Admins is the same):
Thanks again!
-
Tuesday, August 30, 2011 1:20 PM
Hi,
IS the issue happening with Default Domain Policy only or any Policy. Secondly do you have any other DC, can you check in that DC as well
-
Tuesday, August 30, 2011 1:25 PM
Hi,
Click in advance tab
. Click on Effective permission . Click on select edit put your user name and click on apply and give me the screen shot.
Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
Tuesday, August 30, 2011 1:30 PM
Hi, it occurs with any policy.
You ask if I have other Domain controllers? Under "Domain Controllers" node I only see "Default Domain Controllers Policy"...
-
Tuesday, August 30, 2011 1:33 PM
-
Tuesday, August 30, 2011 1:34 PM
Hi,
Not from GPM Console but open dsa.msc and go to Domain Controllers OU and check if there is any other DC. Login to that DC and check.
-
Tuesday, August 30, 2011 1:38 PM
Hi,
For testing add your account to Group Policy Editor group.
Make sure that you are either a Domain Admin or Enterprise Admin and a member of the GRoup Policy Editor group to edit it.
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Tuesday, August 30, 2011 1:42 PMAh ok.. I checked and I have only one computer in Domain Controllers node.
-
Tuesday, August 30, 2011 1:45 PMHi as suggested above check by adding yourself to Group Policy Creator Owner and Group Policy Editor. Also you are not the member of Domain Admins. Kindly add your ID to Domain Admin and check
-
Tuesday, August 30, 2011 1:45 PMHi, there's no "Group Policy Editor" group, but only the "Group Policy Creator Owners" group.
-
Tuesday, August 30, 2011 1:46 PM
Hi,
I dont see you account is a member of Domain Admin or Enterprise Admin. Add your account to the respective group.
Are you logged in as local administrator?
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Tuesday, August 30, 2011 1:51 PM
Hi,
Add your ID to Domain Admin and check
-
Tuesday, August 30, 2011 1:51 PM
These are the groups I'm member of:
Additionaly I'm logged in via remote desktop. Could it be important? In Windows Server 2003 wasn't an issue. Thanks!
-
Tuesday, August 30, 2011 2:00 PM
Hi,
Can you try editing the Group policy from a Client machine.
http://www.petri.co.il/download_gpmc.htm
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Tuesday, August 30, 2011 2:10 PM
It doesn't work on my Windows 7. Maybe can I try this: http://www.microsoft.com/download/en/details.aspx?id=7887 ?
-
Tuesday, August 30, 2011 2:13 PMYes, For windows 7 you need to install RSAT.
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Tuesday, August 30, 2011 2:16 PM
More info:
http://blogs.technet.com/b/grouppolicy/archive/2009/12/23/how-to-install-rsat.aspx
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Tuesday, August 30, 2011 3:31 PM
I installed it, but how can I connect to my server?
I open Group Policy Management, click on Actions > Add forest... and try to specify the server IP. But it says something like "Specified domain doesn't exist or is unreachable".
-
Thursday, September 01, 2011 10:04 AM
Hi,
In the Add Forest dialog box, type the DNS or NetBIOS name of any domain in the forest, and then click OK.
You can specify either the DNS name or the NetBIOS name of any domain in the forest. If you specify a NetBIOS name, you must confirm that the NetBIOS name corresponds to the DNS name of the domain.
The forest is added to Group Policy Management Console, along with the domain that you specifiedAdd a forest, site, or domain to the Group Policy Management
technet.microsoft.com/en-us/library/cc786573(v=ws.10).aspx
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Thursday, September 01, 2011 12:04 PM
Thanks, but it doesn't accept what I type. I fear I can only add domains in my same LAN.. now I'm connecting over the internet. Actually the DNS server of my server is inside its LAN and I can't access it.
I'll abandon this attempt with RSAT. Also because I tried to remotely use the server in a local fashion (with a tele-assistance program) and I faced the same limitations (edit disabled for Group policy objects).
It must be something else and not the way I'm connected and logged.
-
Thursday, September 01, 2011 1:18 PM
Hi,
How are you connected to you internal network? VPN ?
Make sure that you have a proper connectivity established to your internal network and your Local DNS server is accessible?
Unless you have connected to your internal network you cannot perform your actions.
If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing! -
Friday, September 02, 2011 6:54 AMModerator
Hi,
Based on my search, this issue can be caused by the incorrect token.Please run the command: “Klist purge” to clear all cached Kerberos tickets.
If it does not work, please try to create a new domain administrator to check if you have the same issue. If the new one works, please transfer the profile from the problematic domain administrator to the new created one. You may delete the problematic one after making everything is good.
For more information, please also refer to the following thread:
Group Policy Management Console , GPO Edit, Restore Options are grayed out, access denied with gp modelling and deleting gpo
Regards,
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.- Marked As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Monday, September 12, 2011 1:25 AM
-
Friday, September 02, 2011 4:13 PMI have a new usefull information:
I managed to make a user try to edit GPOs locally and... he could do it!
So is kind of connectivity issue.
I connect to the server via Remote Desktop passing through the global internet, using some ports opened for this purpose.
I hope we can solve this problem, thanks everybody! -
Friday, September 09, 2011 4:29 AMModerator
Hi,
Did you try the suggestions I provided above and what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
.png)
