none
Failed to open the Group Policy Object. You may not have the appropriate rights. The system cannot find the path specified.

    Question

  • Hi

    I am trying to edit the "Default Domain Controllers Policy" but when I click on Edit, I get the error message as shown below.

    We have three domain controllers, 2 of them (hq-dc1 and hq-dc2)are 2008 R2 and one (hq-dc3) is 2012 R2.

    

    The permissions are correct as I'm trying with domain admin account and I checked the permissions and domain admins have the necessary permissions. 

    The Policy does exist.


    The replications works fine also!

    any ideas any one???


    • Edited by ndrepebx Friday, July 18, 2014 9:32 AM
    Friday, July 18, 2014 9:31 AM

Answers

  • Thanks for your feedback everyone!

    Finally I managed to get this sorted. Here is what I did. 

    First, on one of the domain controllers, I browsed down the the policy file that contains the settings on the path below:

    C:\Windows\SYSVOL\sysvol\DomainName\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit

    and opened the file GptTmpl.inf (as shown on image below) and then changed the value for AuditAccountManage from 0 to 1, saved the file and closed. I then went to the settings tab on the GPO and the setting that I changed on the file had replicated back to the policy in Group Policy Management Console. 

    Doing this step proved that the path was correct and that I had sufficient permissions to edit. Although if I tried to edit the policy again via GPMC I still got the same error message. 

    At the end I did a backup of this GPO and then did a restore and problem solved.

    • Marked as answer by ndrepebx Monday, July 21, 2014 1:47 PM
    Monday, July 21, 2014 1:47 PM

All replies

  • Hi,

    Are you able to edit the Group Policy object from any one DC?

    This error may be due to permission problem in SYSVOL folder in the DC displaying error.

    Checkout the below thread on similar discussion,

    http://community.spiceworks.com/topic/350947-can-t-edit-new-gp-objects-in-ad-2003-system-cannot-find-the-path-specified?page=1#entry-2302546


    Regards,
    Gopi
    JiJi Technologies

    Friday, July 18, 2014 11:35 AM
  • From a command prompt run the following to find your PDCe
    netdom query fsmo

    Log onto the PDCe and attempt to modify the Group Policy

    The PDCe is where the system controls updates for Group Policy


    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security, BS CSci
    2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
    Please no e-mails, any questions should be posted in the NewsGroup.
    This posting is provided AS IS with no warranties, and confers no rights.

    Friday, July 18, 2014 11:51 AM
    Moderator
  • By default when you open GPEdit.MSC the MMC points to the PDC for the domain. If you go into view/ DC Options you can change that setting to use the DC the snap-in is connected to.
    Friday, July 18, 2014 2:07 PM
  • Hi,

    In your image you are accesing SYSVOL localy. Try the share path instead to confirm you have read access to the policy.

    Also try the following tools to check for permission related issues:

    http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx - ShareEnum v1.6

    http://technet.microsoft.com/en-us/sysinternals/bb897332.aspx - AccessEnum v1.32

    Marius


    http://mariusene.wordpress.com/

    Friday, July 18, 2014 3:15 PM
  • Hi everyone and thanks for all your help. 

    The only GPO effected is the "Default Domain Controllers Policy". I can edit any other GPO's fine.

    I have tried editing "Default Domain Controllers Policy" from all three domain controllers and I get the same error on all of them. 

    I can access SYSVOL via the shared path also and read the contents. 

    I have looked at the threads provided also but still no luck :(

    Friday, July 18, 2014 4:32 PM
  • Have you looked at the delegated permissions of the GPO? Based on what you are saying it sounds like a permission issue on the GPO. Use the link below to look at the settings.

    http://technet.microsoft.com/en-us/library/cc754542.aspx

    Friday, July 18, 2014 5:36 PM
  • Thanks for your feedback everyone!

    Finally I managed to get this sorted. Here is what I did. 

    First, on one of the domain controllers, I browsed down the the policy file that contains the settings on the path below:

    C:\Windows\SYSVOL\sysvol\DomainName\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit

    and opened the file GptTmpl.inf (as shown on image below) and then changed the value for AuditAccountManage from 0 to 1, saved the file and closed. I then went to the settings tab on the GPO and the setting that I changed on the file had replicated back to the policy in Group Policy Management Console. 

    Doing this step proved that the path was correct and that I had sufficient permissions to edit. Although if I tried to edit the policy again via GPMC I still got the same error message. 

    At the end I did a backup of this GPO and then did a restore and problem solved.

    • Marked as answer by ndrepebx Monday, July 21, 2014 1:47 PM
    Monday, July 21, 2014 1:47 PM
  • Thanks so much!

    Backing up and restoring it did the trick for me.

    Wednesday, January 14, 2015 3:56 PM
  • Hello Guys,

    FIXED, SOLVED, FIXED....

    I FIXED the issue without backup or restore activity in my scenario.

    Or

    I should ask do any one know why it got fixed using the backup restore activity ?

    If you can see the last screenshot of policy access path by "ndrepebx" there is  NO User folder available under the policy path folder.

    This is the issue, I executed the Procmon & found that process is trying to access the Registry.pol file under User folder under the policy path & it is failing to access, even though user configuration are not configured.

    I crossed match the same with Adsiedit, there i found user & machine both containers & so to sync up the GPT & GPC i created the "User" folder under the policy path & it got FIXED.

    Rare FIX but good FIX.

    Regards,

    Vicky Rajdev


    Vicky Rajdev

    • Proposed as answer by AnalogueLtd Thursday, January 14, 2016 1:39 AM
    Monday, February 16, 2015 11:27 AM
  • I crossed match the same with Adsiedit, there i found user & machine both containers & so to sync up the GPT & GPC i created the "User" folder under the policy path & it got FIXED.

    regarding what mentioned above ,what do you mean by there is no user folder under policy path in the screenshot of ndrepebx 

    "C:\Windows\SYSVOL\sysvol\DomainName\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit"

    he opened the machine folder and this is normal not to have the user folder in the machine folder. 

    the following picture is the path of domain controller policy ,I have the same problem of being unable to edit the default controller policy 

    

     is it safe to install Procmon  in active directory ,I'll try it and knowq what happen 


    • Edited by om zeyad Thursday, March 1, 2018 10:12 AM
    Thursday, March 1, 2018 10:09 AM
  • this the path of the the gpt template under machine folder

    Thursday, March 1, 2018 10:10 AM