none
Missing GP object "Public Key Policies"

    Question

  • I manage two domains (separate forests).  One, our DMZ, is fine.  The other, our primary domain, is missing the following group policy object:

    Computer Configuration | Windows Settings | Security Settings | Public Key Policies

    There are a lot of other contents in the "Security Settings" location, but the one I need is missing.  Both domains are running on (4) 2008 R2 domain controllers and at a 2008 R2 Functional Level.  I've tried running GPE from multiple machines (DCs and workstations) and it still is not shown.  I have Domain Admin rights as well so unless it needs Enterprise admin rights, that shouldn't be an issue.

    Chris

    Wednesday, December 10, 2014 7:40 PM

All replies

  • I manage two domains (separate forests).  One, our DMZ, is fine.  The other, our primary domain, is missing the following group policy object:

    Computer Configuration | Windows Settings | Security Settings | Public Key Policies

    There are a lot of other contents in the "Security Settings" location, but the one I need is missing.  Both domains are running on (4) 2008 R2 domain controllers and at a 2008 R2 Functional Level.  I've tried running GPE from multiple machines (DCs and workstations) and it still is not shown.  I have Domain Admin rights as well so unless it needs Enterprise admin rights, that shouldn't be an issue.

    Chris

    It's probably not missing the GPO, but, it might be missing the relevant MMC snap-in components.

    Have you checked that the relevant admin tools are installed ?

    If installed, it might be an unregistered component (maybe certmgr.dll)?

    ref: http://support.microsoft.com/kb/555218


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Wednesday, December 10, 2014 8:30 PM
  • Thanks for your reply Don. I'm not sure which components would be missing as all of the normal AD tools are installed. The "Group Policy Management" feature is installed as are the required AD roles for a DC. I've tried re-registering the certmgr.dll file, but it crashes the regsvr32 application.  I've done a lot of research on that, but have found no good reason or fix for it, however, I also tried it on our working domain and get the same thing.  Any other thoughts?

    Also, I tried copying over the certmgr.dll file from the working domain to the non-working domain, but I'm not sure how to "import" it into the non-working domain.  I tried deleting the old (after taking ownership) and then copying this one in, but it made no difference.  I ran sfc /scannow and it restored the old one back, but still no worky.  I did notice there is a version difference between the working domain (6.1.7601.17514) and the non-working domain (6.1.7600.16385).  Apparently the OS builds are different, a POV I have not followed up yet.

    Chris

    • Edited by Epic75 Thursday, December 11, 2014 8:12 PM
    Thursday, December 11, 2014 8:09 PM
  • I did notice there is a version difference between the working domain (6.1.7601.17514) and the non-working domain (6.1.7600.16385).  Apparently the OS builds are different, a POV I have not followed up yet.

    the version aspect, looks like SP1 vs. no-SP1.

    not sure that would be the cause, but applying SP1 sounds like a good idea - it might even fix this issue (when the new file versions get installed/registered)



    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, December 11, 2014 8:44 PM
  • Yeah, I'm working on that right now.  I have a test copy of our production DC1 that exhibits the same thing.  I'll keep you updated.
    Thursday, December 11, 2014 9:00 PM
  • No luck after installing SP1.  Any other ideas?
    Thursday, December 11, 2014 10:07 PM
  • It turns out that the Domain Administrator account is able to see the "Public key policies" section of the GPO.  I have an admin account that is part of the domain admin group, but even it isn't able to see it.  I tried elevating rights as much as I could, including granting it Enterprise Admin, but still could not see it.  The problem is that we keep our domain admin account disabled.  Any thoughts on getting around this?

    Monday, December 15, 2014 2:26 AM
  • It turns out that the Domain Administrator account is able to see the "Public key policies" section of the GPO.  I have an admin account that is part of the domain admin group, but even it isn't able to see it.  I tried elevating rights as much as I could, including granting it Enterprise Admin, but still could not see it.  The problem is that we keep our domain admin account disabled.  Any thoughts on getting around this?

    That's really strange. I did verify that I can't re-register the certmgr.dll on my lab WS2008R2 DC (so those suggestions don't seem to apply to newer OS).

    I think you might need to raise a case with MSFT support to get further help with this (unless somebody else has any suggestions?)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, December 15, 2014 7:50 AM
  • That's good to know.  Any chance you can verify whether or not a domain admin can see the "Public Key Policies" section vs. THE domain administrator account can?
    Monday, December 15, 2014 7:55 PM
  • That's good to know.  Any chance you can verify whether or not a domain admin can see the "Public Key Policies" section vs. THE domain administrator account can?

    I can see Public Key Policies on any/every machine, even when logged in as a standard/limited domain user account. (even on a workstation with RSAT installed)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, December 15, 2014 8:00 PM