none
Windows Server 2008: Unable to edit group policies

    Question

  • I have a customer with a Windows Server 2008. I am needing to update their password policy but I cannot edit any of the group policies. If I try and edit the password policy I get the error

    "The system cannot find the file specified. Failed to save \\domain\sysvol\domain\Policies\{GUID}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf. Make sure that this object exists."

    If I try and add a mapped drive is give me an empty message prompt with error as the title.

    I have checked the permissions on the sysvol and have disabled anti-virus but still get issues.

    Wednesday, July 6, 2016 2:56 AM

Answers

  • Hi,

    I did some research and found a similar case which ended up by transferring FSMO roles to another DC, demoting it, promoting it back. This method is just for your reference.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 11, 2016 8:24 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    Before we go further, I would like to confirm the following:

    1. If you manually try to go to \\your fqdn\sysvol\...... Can you get there?

    2. From where are you editing that GPO, from the DC or from the workstation?

    3. How many DCs do you have ? can you edit the policy on either of the available DCs successfully ? can you confirm if your sysvol is replicating properly or not ?

    How to confirm if replication is working, do it for each DC:

    http://technet.microsoft.com/en-us/library/cc978394.aspx

    Assuming that the .ini exists, you may want to compare the security settings for the policy in both DCs, if everything ok, then go to a different DC and edit the GPO there save changes, and check if those changes were replicated to that SYSVOL DC.

    Also have a look at event log for errors or warnings. You can aslo run dcdiag and netdiag on that DC and check that everything is working.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 6, 2016 5:34 AM
    Moderator
  • Answers are:

    1. Yes I can

    2.I am edited the group policy from the DC

    3. Two DCs if I try and edit the policies on the other DC I get the same error

    .ini is there and all users I would expect have modify permissions and they are the same on both DCs

    DCDIAG looked good and I can't see anything telling in the event log

    Anything else I could check?

    Thursday, July 7, 2016 3:49 AM
  • Hi,

    Are you editing the Default Domain Policy or is this a separate policy?

    Please compare the permissions on the file and on the folder with your working GPOs.

    In the security tab of the file GptTmpl.inf click in advance button, Please verify and uncheck inherit form parent the permission entries that apply to child objects. Include these with entries explicitly defined here.

    Besides, you may perform the following steps to troubleshoot this issue:

    1. Click Start, point to Programs, point to  Administrative Tools, and then click Active Directory Users and Computers.

    2. In the Active Directory Users and Computers window, on the  View menu, click Advanced Features.

    3. In the left pane, expand System, and then click Policies.

    4. In the right pane, right-click the GPO folder that you want to modify, and then click Properties.

    5. Click the Security tab, and then click the group in the  Group or user names list for which you want to set the access permission.

    6. In the Permissions for Authenticated Users list, under the  Deny column, click to select the check box that is next to the Write permission, and then click OK.

    7. On the File menu, click Exit to close the  Active Directory Users and Computers window.

    8. Click Start, click Run, type explorer.exe, and then click OK.

    9. In Windows Explorer, locate and then click the following folder:

    %SystemRoot%\SYSVOL\sysvol\<var>DomainName</var>\Policies

    Note In this folder name, <var>DomainName</var> is the name of the domain.

    10. In the right pane, right-click the GPO folder that you want to modify, and then click Properties.

    11. Click the Security tab, and then click the group in the  Group or user names list for which you want to set the access permission.

    12. In the Permissions for Authenticated Users list, under the  Deny column, click to select the check box that is next to the Write permission, and then click OK.

    13. Close Windows Explorer.

    For the detailed information, please refer to the following Microsoft TechNet blog:

    Group Policies and Access Denied

    http://blogs.technet.com/b/matthewms/archive/2005/10/29/413275.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 8, 2016 6:46 AM
    Moderator
  • I am unable to edit any of the group policies. All seem to have the correct permissions as well.
    Sunday, July 10, 2016 8:47 PM
  • Hi,

    I did some research and found a similar case which ended up by transferring FSMO roles to another DC, demoting it, promoting it back. This method is just for your reference.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 11, 2016 8:24 AM
    Moderator