Windows 8 and Default Domain Policy modification issue


  • Hi,

    I'm unable to edit the default domain policy from my new Windows 8 desktop.  It's the only Win8 in the environment so I'm not able to easily test another one unfortunately.  The error I receive is:

    Group Policy Error

    Failed to open the Group Policy Object.  You might not have the appropriate rights.

    Details: The volume for a file has been externally altered so that the opened file is no longer valid.

    I have checked from a Win7 and a 2003 machine and can access and edit the GPO without issue using the same account.  The Win8 desktop is a fresh install with the RSAT tools installed, Exchange 2010 tools and a few basic applicaitons (non of which stick out as having anything to do with AD management).

    It only occurs if I click edit on the GPO.  I'm able to successfully view the policy and edit the permissions etc.  Have rebooted and the machine is current with patches as of now.



    Cheers Andy

    Friday, March 08, 2013 1:40 PM

All replies

  • This certainly seems to be an issue with the Win8 machine as randomly one of the 6 DCs in the main site doesn't show the replicate connections options in Sites/Services.  From another machine I can see them so it has to be something odd with the AD tools on this machine.  Has anyone else seen anything like this sort of thing?

    Cheers Andy

    Saturday, March 09, 2013 11:31 AM
  • Hi,

    According to your description, the issue only occurred when you click to edit the GPO. And only occurred on Windows 8. I would like suggest you to follow below suggestions to narrow down the issue:

    1. Check out whether the issue only occurred to Default domain policy object.

    2. Test on another new installed Windows 8 client with only RSAT installed.

    3. Create another new account and add it to domain admin group to test again.

    4. Run dcdiag on DCs to check out whether the replications work fine.

    Hope this helps.


    Yan Li

    If you have any feedback on our support, please click here .

    Cataleya Li
    TechNet Community Support

    Monday, March 11, 2013 7:27 AM
  • Hi,

    What about firewall services on your windows 8 ? Do you see any profile associated with it?  

    Regards, Server Engineer - Server Support

    Monday, March 11, 2013 8:06 AM
  • Are you facing any issues while accessing AD resources from Windows 8? However I would also suggest you to disable basic Windows Firewall for testsing purpose. check this from Windows 8 net view \\DCname and net view \\IPAdress of the DC. If these commands fails to resolve, then it might be a secure channel issue. You might need to unjoin and rejoin Win8 to domain.
    Monday, March 11, 2013 10:17 AM
  • Hi guys,

    Thanks for the replies, hope I cover everything below.  The oddity here is that I can edit any other policy just not the default domain policy.  I can edit it from another machine (2003) which indicates it isn't a permissions issue.

    The firewall is off due to policy at the moment.

    DCDiag doesn't show any issues and I've checked repl with repadmin.

    I forgot (doh!) that I had another Win8 machine.  It's an expired trial license but does show the same issue!

    We tried another domain admin and he also gets the same error message.  (Should have thought to try that myself).

    Monday, March 11, 2013 11:19 AM
  • Try to run "chkdsk /r" on your Win8 machine, and also run "sfc /scannow" using "Run as administrator".



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, March 13, 2013 9:23 AM
  • Any update?



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, March 20, 2013 2:31 AM
  • Hello,

    as this belongs more to the GPO i would also ask in

    Best regards

    Meinolf Weber
    Microsoft MVP - Directory Services
    My Blog:

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, March 21, 2013 10:55 AM
  • Hi,

    Sorry for the delay.  This occurs on more than one Win8 machine so not sure that SFC would help.

    With the firewall I am able to edit all other GP so it is unlikely to be that too unfortunately.

    Will try asking in the GPO forum, thanks.


    Cheers Andy

    Friday, June 07, 2013 12:24 PM
  • I don't have Windows 8 to test with but I suspect it's this same issue: 

    I found this to be the case for our Default Domain Controllers GPO. Found a registry.pol file in the GPO's sysvol directory and renamed it to registry.pol.old. Bingo, I could now edit the GPO from Server 2012 R2. 

    -- Jason

    • Edited by JasonBH Friday, October 03, 2014 2:44 PM
    • Proposed as answer by Ryan VI Tuesday, November 18, 2014 10:30 PM
    Friday, October 03, 2014 2:43 PM
  • Jason, Your solution worked for me.  I had to rename both registry.pol files in the user and the machine folder of the Default GPO guid folder in sysvol.  Now I can open the default GPO on windows 8 and server 2012r2.  Thanks, Ryan
    Tuesday, November 18, 2014 10:29 PM