none
Failed to open Group Policy Object RRS feed

  • Question

  • Hello all,

    I am receiving a strange error message that I have never seen before in Group Policy. I am attempting to edit a GPO and I receive the following message:

    "Failed to open the Group Policy Object. You might not have the appropriate rights."

    "Details: The volume for a file has been externally altered so that the opened file is no longer valid."

    I have looked online and have found very little about this message. Most of the things I come across relate to the local group policy, but my issue is occurring in the GPMC on a domain controller.

    I have three domain controllers - Server 2008 R2, Server 2012 Standard, and Server 2016 Standard. I can edit this GPO on my Server 2008 R2 domain controller, but receive the error message on the other two.

    I have tried this solution from my research, but it seemed to cause more problems than it fixed and didn't remedy the original issue:

    • Get GPO GUID: from Group Policy Management Console (GPMC) –> choose GPO –> from right pane go to Details tab –> go to Unique ID field.
    • Open the path: C:\Windows\SYSVOL\sysvol\<Domain>\Policies\<GPO GUID>\User
    • Delete “registry.pol” file.

    Has anyone see this before?

    Thank you!

    Friday, October 11, 2019 6:19 PM

Answers

  • Hi Daryl LFP,

    Thank you for your update in our forum

    If there are only a small number of GPOs that cannot be edited, then we can re-edit these GPOs according to your previous method.

    If there are a lot of GPOs, then the best way is to check the error log for further troubleshooting.

    If it's just a default domain policy or a default domain controller policy, we can also use commands to restore these two GPOs to their default settings without having to completely reconfigure them.

    reference:dcgpofix

    Hope the information can be helpful

    Best Regards,

    Vicky

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Daryl LFP Friday, October 18, 2019 4:36 PM
    Friday, October 18, 2019 6:12 AM

All replies

  • Hi Daryl LFP,

    Thank you for posting in our forum.

    According to my knowledge, It may be related to SYSVOL replication issue. We will suggest you check whether the contents of the SYSVOL folder on the three DCs are the same (include file size and timestamp).
    We can use command dcdiag /test:FrsEvent or dcdiag /test:DFSREvent for further check.

    The thread link provided by Udara Kaushalya also shows that this may be a SYSVOL replication issue

    Hope the information can be helpful

    Best Regards,

    Vicky

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 14, 2019 9:44 AM
  • Hi Vicky,

    I checked the contents of the SYSVOL folder on all three DC's and one of them was a little different than the other two:

    DC1 - SYSVOL_DFSR - 208MB - 6/22/2017

    DC2 - SYSVOL_DFSR - 208MB - 6/22/2017

    DC3 - SYSVOL -          248MB - 11/29/2018 - Has two additional folders: staging, and staging areas

    I ran both the commands you recommended on all of the DC's, and the second command showed this error message on all of them:

    Doing primary tests

       Testing server: Default-First-Site-Name\<server-name>
          Starting test: DFSREvent
             There are warning or error events within the last 24 hours after the
             SYSVOL has been shared.  Failing SYSVOL replication problems may cause
             Group Policy problems.
             ......................... SERVER-MAIN passed test DFSREvent

    I checked the event logs on all of the servers, and they are all showing the following event:

    Event 5014, DFSR

    The DFS Replication service is stopping communication with partner <server-name> for replication group Domain System Volume due to an error. The service will retry the connection periodically.
     
    Additional Information:
    Error: 9036 (Paused for backup or restore)
    Connection ID: 7932162E-8576-4A66-8863-99160D1C0C11
    Replication Group ID: 21185309-32F7-40FF-A6E8-08CFF0C18CB3

    These events seem to occur each night around 3:00AM and we do have backups running during this time, so I'm suspecting that this is why we are getting these events.

    I attempted to backup and restore the Default Domain Controllers GPO like the above post recommends doing, but that did not work either. I noticed that when I performed the backup of the GPO, I received about 18 of these warnings:

    [Warning] The security principal [S-1-5-80-3880718306-3832830129-1677859214-2598158968-1052248003] referenced in extension [Security] cannot be resolved, but the task will continue. In the future, you can use a migration table to map or remove this security principal.
    Details: No mapping between account names and security IDs was done.

    Any other ideas? Thanks for all the suggestions.

    Monday, October 14, 2019 8:15 PM
  • Hi Daryl LFP,

    Thank you for your update in our forum

    First of all, to ensure that the port is normal, and then try to connect to improve the current state.

    reference link:DFS Replication: How to troubleshoot missing SYSVOL and Netlogon shares

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Vicky



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 16, 2019 9:44 AM
  • Hi Vicky,

    Thank you for the article. It was very informative. I ran all the commands in the article and the replication health of all of our DC's appears to be good, however the issue still persists.

    I noticed the following events on our PDC, but they were from over a year ago and it seems to be in a healthy state now:

    2213

    4012

    4604

    I've tried backing up and restoring the Domain Controllers Policy on all of our servers and it seems to fail on one of them. When it fails, it completely blanks out the policy and none of the previous settings exist. With the GPO blank like this, I appear to be able to edit it from any of the DC's. I'm wondering if I should remove all of the old settings and try rebuilding it from scratch?

    Any other suggestions?

    Thanks again.

    Wednesday, October 16, 2019 11:52 PM
  • Hi Daryl LFP,

    Thank you for your update in our forum

    If there are only a small number of GPOs that cannot be edited, then we can re-edit these GPOs according to your previous method.

    If there are a lot of GPOs, then the best way is to check the error log for further troubleshooting.

    If it's just a default domain policy or a default domain controller policy, we can also use commands to restore these two GPOs to their default settings without having to completely reconfigure them.

    reference:dcgpofix

    Hope the information can be helpful

    Best Regards,

    Vicky

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Daryl LFP Friday, October 18, 2019 4:36 PM
    Friday, October 18, 2019 6:12 AM
  • Hi Vicky, this worked.

    I took a screenshot of all of the settings in the Default DC GPO, and also backed it up completely just in case I needed to restore it. I ran the command and was able to edit the GPO from each DC without any issues.

    Thanks for all your help.

    Friday, October 18, 2019 4:36 PM
  • Hi,

    I am glad to hear that your issue was successfully resolved.

    If there is anything else we can do for you, please feel free to post in the forum.

    Havea nice day!

    Vicky


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, October 24, 2019 1:34 AM