none
Edit disabled for Default Domain Policy in SBS 2011

    Question

  • Hello, I'm facing an issue with Windows Small Business Server 2011. Using Windows Server 2003 we hadn't this problem.

    As you can see in the screenshot, the "Edit" option for Default Domain Policy item is disabled. This occurs with any other Group policy object.

    Why? How can I enable it? Or is there a different way to modify a policy?

    Note that I'm logged in as an administrator.

    Many thanks!

    Tuesday, August 30, 2011 12:09 PM

Answers

  • Hi,


    Based on my search, this issue can be caused by the incorrect token.

     

    Please run the command: “Klist purge” to clear all cached Kerberos tickets.

     

    If it does not work, please try to create a new domain administrator to check if you have the same issue. If the new one works, please transfer the profile from the problematic domain administrator to the new created one. You may delete the problematic one after making everything is good.

     

    For more information, please also refer to the following thread:

     

    Group Policy Management Console , GPO Edit, Restore Options are grayed out, access denied with gp modelling and deleting gpo

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/da2538a5-3d0b-4f2f-bdc0-c9091a2553bc/

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, September 02, 2011 6:54 AM
    Moderator

All replies

  • Hi,

    Please check the delegation tab.

    Also paste the output of whoami /All


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 30, 2011 12:12 PM
  • Delegation tab is the following:

    whoami says:

    C:\Users\dhg01>whoami /All
    
    USER INFORMATION
    ----------------
    
    User Name SID
    ========= =============================================
    dhg\dhg01 S-1-5-21-2040216328-671452908-3875821298-1187
    
    
    GROUP INFORMATION
    -----------------
    
    Group Name                 Type       SID
                 Attributes
    ========================================== ================ ====================
    ========================= ==================================================
    Everyone                  Well-known group S-1-1-0
                 Mandatory group, Enabled by default, Enabled group
    BUILTIN\Administrators           Alias      S-1-5-32-544
                 Group used for deny only
    BUILTIN\Users               Alias      S-1-5-32-545
                 Mandatory group, Enabled by default, Enabled group
    BUILTIN\Remote Desktop Users        Alias      S-1-5-32-555
                 Mandatory group, Enabled by default, Enabled group
    BUILTIN\Pre-Windows 2000 Compatible Access Alias      S-1-5-32-554
                 Group used for deny only
    BUILTIN\Certificate Service DCOM Access  Alias      S-1-5-32-574
                 Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\REMOTE INTERACTIVE LOGON   Well-known group S-1-5-14
                 Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\INTERACTIVE          Well-known group S-1-5-4
                 Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\Authenticated Users      Well-known group S-1-5-11
                 Mandatory group, Enabled by default, Enabled group
    NT AUTHORITY\This Organization       Well-known group S-1-5-15
                 Mandatory group, Enabled by default, Enabled group
    LOCAL                   Well-known group S-1-2-0
                 Mandatory group, Enabled by default, Enabled group
    DHG\DhgGroup                Group      S-1-5-21-2040216328-
    671452908-3875821298-1166 Mandatory group, Enabled by default, Enabled group
    Mandatory Label\Medium Mandatory Level   Label      S-1-16-8192
                 Mandatory group, Enabled by default, Enabled group
    
    
    PRIVILEGES INFORMATION
    ----------------------
    
    Privilege Name        Description             State
    ============================= ==================================== ========
    SeShutdownPrivilege      Shut down the system         Disabled
    SeChangeNotifyPrivilege    Bypass traverse checking       Enabled
    SeUndockPrivilege       Remove computer from docking station Disabled
    SeIncreaseWorkingSetPrivilege Increase a process working set    Disabled
    SeTimeZonePrivilege      Change the time zone         Disabled

    Tuesday, August 30, 2011 12:26 PM
  • Hi,

    Could you please go to advance tab and share the exact permisson of domain admin and enterprise admin with us.

     


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.



    Tuesday, August 30, 2011 12:47 PM
  • Here you have for Domain Admins (for Enterprise Admins is the same):

    Thanks again!

    Tuesday, August 30, 2011 12:57 PM
  • Hi,

     

    IS the issue happening with Default Domain Policy only or any Policy. Secondly do you have any other DC, can you check in that DC as well

    Tuesday, August 30, 2011 1:20 PM
  • Hi,

    Click in advance tab

     . Click on Effective permission . Click on select edit put your user name and click on apply and give me the screen shot.


    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, August 30, 2011 1:25 PM
  • Hi, it occurs with any policy.

    You ask if I have other Domain controllers? Under "Domain Controllers" node I only see "Default Domain Controllers Policy"...

    Tuesday, August 30, 2011 1:30 PM
  • Tuesday, August 30, 2011 1:33 PM
  • Hi,

    Not from GPM Console but open dsa.msc and go to Domain Controllers OU and check if there is any other DC. Login to that DC and check.

     

    Tuesday, August 30, 2011 1:34 PM
  • Hi,

    For testing add your account to Group Policy Editor group.

    Make sure that you are either a Domain Admin or Enterprise Admin and a member of the GRoup Policy Editor group to edit it.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 30, 2011 1:38 PM
  • Ah ok.. I checked and I have only one computer in Domain Controllers node.
    Tuesday, August 30, 2011 1:42 PM
  • Hi as suggested above check by adding yourself to Group Policy Creator Owner and Group Policy Editor. Also you are not the member of Domain Admins. Kindly add your ID to Domain Admin and check
    Tuesday, August 30, 2011 1:45 PM
  • Hi, there's no "Group Policy Editor" group, but only the "Group Policy Creator Owners" group.
    Tuesday, August 30, 2011 1:45 PM
  • Hi,

    I dont see you account is a member of Domain Admin or Enterprise Admin. Add your account to the respective group.

    Are you logged in as local administrator?


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 30, 2011 1:46 PM
  • Hi,

     

    Add your ID to Domain Admin and check

    Tuesday, August 30, 2011 1:51 PM
  • These are the groups I'm member of:

     

    Additionaly I'm logged in via remote desktop. Could it be important? In Windows Server 2003 wasn't an issue. Thanks!

    Tuesday, August 30, 2011 1:51 PM
  • Hi,

    Can you try editing the Group policy from a Client machine.

    http://www.petri.co.il/download_gpmc.htm


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 30, 2011 2:00 PM
  • It doesn't work on my Windows 7. Maybe can I try this: http://www.microsoft.com/download/en/details.aspx?id=7887 ?

    Tuesday, August 30, 2011 2:10 PM
  • Yes, For windows 7 you need to install RSAT.
    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 30, 2011 2:13 PM
  • More info:

    http://blogs.technet.com/b/grouppolicy/archive/2009/12/23/how-to-install-rsat.aspx


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Tuesday, August 30, 2011 2:16 PM
  • I installed it, but how can I connect to my server?

    I open Group Policy Management, click on Actions > Add forest... and try to specify the server IP. But it says something like "Specified domain doesn't exist or is unreachable".

    Tuesday, August 30, 2011 3:31 PM
  • Hi,

    In the Add Forest dialog box, type the DNS or NetBIOS name of any domain in the forest, and then click OK

    You can specify either the DNS name or the NetBIOS name of any domain in the forest. If you specify a NetBIOS name, you must confirm that the NetBIOS name corresponds to the DNS name of the domain.

    The forest is added to Group Policy Management Console, along with the domain that you specified

     

    Add a forest, site, or domain to the Group Policy Management 

    technet.microsoft.com/en-us/library/cc786573(v=ws.10).aspx


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Thursday, September 01, 2011 10:04 AM
  • Thanks, but it doesn't accept what I type. I fear I can only add domains in my same LAN.. now I'm connecting over the internet. Actually the DNS server of my server is inside its LAN and I can't access it.

    I'll abandon this attempt with RSAT. Also because I tried to remotely use the server in a local fashion (with a tele-assistance program) and I faced the same limitations (edit disabled for Group policy objects).

    It must be something else and not the way I'm connected and logged.

    Thursday, September 01, 2011 12:04 PM
  • Hi, 

    How are you connected to you internal network? VPN ?

    Make sure that you have a proper connectivity established to your internal network and your Local DNS server is accessible?

    Unless you have connected to your internal network you cannot perform your actions.


    If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer". This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
    Thursday, September 01, 2011 1:18 PM
  • Hi,


    Based on my search, this issue can be caused by the incorrect token.

     

    Please run the command: “Klist purge” to clear all cached Kerberos tickets.

     

    If it does not work, please try to create a new domain administrator to check if you have the same issue. If the new one works, please transfer the profile from the problematic domain administrator to the new created one. You may delete the problematic one after making everything is good.

     

    For more information, please also refer to the following thread:

     

    Group Policy Management Console , GPO Edit, Restore Options are grayed out, access denied with gp modelling and deleting gpo

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/da2538a5-3d0b-4f2f-bdc0-c9091a2553bc/

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, September 02, 2011 6:54 AM
    Moderator
  • I have a new usefull information:

    I managed to make a user try to edit GPOs locally and... he could do it!

    So is kind of connectivity issue.

    I connect to the server via Remote Desktop passing through the global internet, using some ports opened for this purpose.

    I hope we can solve this problem, thanks everybody!
    Friday, September 02, 2011 4:13 PM
  • Hi,

     

    Did you try the suggestions I provided above and what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards, 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, September 09, 2011 4:29 AM
    Moderator