none
Failed to open the Group Policy Object. You might not have the appropriate rights

    Question

  • Hi

    Windows 2012 R2. Only one domain controller and is also running hyper-v on it with another Windows 2012 R2 as a file server (the vm is the file server). I get "Failed to open the Group Policy Object. You might not have the appropriate rights" and I am logged on as domain admin.

    Details: The network location cannot be reached...

    I have NIC teaming enabled and at one point there may have been changes to its configuration.


    • Edited by WaelS Wednesday, December 28, 2016 1:39 PM
    Wednesday, December 28, 2016 1:35 PM

All replies

  • NIC teaming is not recommended on DCs. The reason is that you may have similar failures like the one you have shared. Also, make sure that ports required for AD to work are not blocked or filtered - Refer to this for the list of ports and how you can check: http://www.ahmedmalek.com/web/fr/articles.asp?artid=23


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Wednesday, December 28, 2016 9:14 PM
  • If I disable teaming would that resolve the issue?
    Thursday, December 29, 2016 3:11 AM
  • Hi,
    You could have a try to see if it helps. In addition, please refer to following KB and check if can help you to troubleshoot this issue.
    "Failed to Open the Group Policy Object" Error Message Occurs When You Try to Open a Policy As a Domain Administrator
    https://support.microsoft.com/en-us/kb/294257
    Meanwhile, you could open Event Viewer and check some relevant events for more details.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 29, 2016 7:17 AM
    Moderator
  • When I try to browse to the network location

    \\mydomain.local\SysVol\maindomain.local\Policies\{2599FABB-A581-4761-8452-BC2DDF6C316D}\User\Scripts\Logon

    I get an error "Windows cannot access...", even when I use the first part. I tried what was listed in the Windows 2003 article, but it didn't help. How can I diagnose this? I tried turning off the firewall as well as turning on network discovery, but neither of those helped.

    This is not just for this policy. The location \\mydomain.local\SysVol is not accessible. \\localhost\sysvol is also not accessible. I am not sure when this started happening, but i discovered it when one of my users started losing his mapped drive.

    The logs mention that the files can't be read which makes sense considering the network location above is not accessible.

    When I try "net share", sysvol is listed as being shared. When I right click the C:\Windows\SYSVOL it doesn't show as shared.



    • Edited by WaelS Thursday, December 29, 2016 4:29 PM
    Thursday, December 29, 2016 4:08 PM
  • Hi,
    Have you tried to open the sysvol by FQDN of domain controller: \\fqdn\sysvol and see if it works? And any event logs in the event viewer on domain controller?
    You could check the following troubleshooting step in the following article if it helps: https://support.microsoft.com/en-us/kb/887303
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 02, 2017 6:00 AM
    Moderator
  • Hi Wendy

    using a computer that is not part of the domain I am able to access the sysvol using \\fqdn\sysvol, but not when I am logged on to the DC.

    The permissions on the sysvol don't list domain admins. Please see the screenshot.

    

    Monday, January 02, 2017 3:22 PM

  • Authenticated users already have access to SYSVOL folder. So Domain Admin should be able to access the SYSVOL folder. ANyway you can provide Domain Admins group with full access or try to add Domain admin group in Administrator group which is already havng full access.

    Also check if nslookup to domain name is working or not. This query should list all the DC's configured in your domain.
    If this is not working, please check the DNS settings configured on the IP interface

    \\domain.com\SYSVOL\DomainName\Policies\
    \\DC001.domain.com\SYSVOL\DomainName\Policies\



    Regards, Nidhin.CK

    Monday, January 02, 2017 3:39 PM
  • What I don't understand is why \\localhost doesn't work. Also \\servername and \\fqdn works from a couple of other machines that i used to test with, but not from the PDC itself.



    • Edited by WaelS Monday, January 02, 2017 8:33 PM
    Monday, January 02, 2017 8:30 PM
  • Hi,
    Can you ping the DC server using its NETBIOS name and FQDN? Check the following services TCP/IP NetBIOS Helper, Netlogon, and the Remote Procedure Call (RPC) to see if they are started and set on automatic and see if DNS is set up correctly.
    In addition, you could have a try to disable NIC teaming and test again, as NIC teaming is not suggested on DC.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thursday, January 05, 2017 1:56 AM
    Moderator
  • All the services you described are running and the server is pingable by name and fqdn. 

    The only thing i haven't tried is to disable teaming. I'll have to try that after hours.

    Is it normal that I get the same error if I try \\localhost from the PDC? I don't see any shares when I do \\localhost.

    From the client machines there are no problems. \\domain_name\ works fine, \\servername and \\servername.fqdn work fine. it is only from the PDC that none of this works. Does that make sense? Is it supposed to be like that?

    The server is running a couple of VMs, those also have no problems.

    Friday, January 06, 2017 2:31 PM
  • Hi,
    For troubleshooting, we suggest you have a try disable teaming:)
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 09, 2017 4:44 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 13, 2017 9:28 AM
    Moderator
  • Hi Wendy

    My server has 4 NICs, two are teamed, one is used to manage some switches and one is available for use. Is there a way to find out which services are bound to each card? I was thinking rather than unteaming the NICs and find that services stop working all at once, I can assign them one by one to the unused card and once I am done I can un-team the other two cards.

    I do have a couple of VMs using that teamed card.

    Thanks

    Thursday, January 19, 2017 9:39 PM