problem with Group Policy Management

[JohnSmith69]

When I run gpmc.msc to open Group Policy Management, I get the following pop up:

"The System cannot fidn the path specified"

It then proceeds to open Group Policy Management console. When I try to edit any of the group policy objects, I get the following errors:

"Failed to open the Group Policy Object. You may not have appropriate rights"
"Details: The system cannot find the path specified"

It then opens the Group Policy Object Editor with no options to edit anything.

Within the Group Policy Object I am down as administrator, and have appropriate edit attributes.

Can anyone help with this matter? I have looked on Microsoft's technet and cant find anything. Anyone experience this before?

Thank you

 

[Turkish]

Have you tried going through gpedit.msc?

 

[JohnSmith69]

Thanks for your reply Turkish

GPEDIT.MSC only edits the local settings. How do i gain access to the AD group policy editor?

 

[Snapster]

Originally posted by: JohnSmith69
Thanks for your reply Turkish

GPEDIT.MSC only edits the local settings. How do i gain access to the AD group policy editor?

Are you trying to edit a domain policy? Open up AD Users and Computers on your DC and right click on the DC branch and select properties, now select Group policy and the rest should be straight forward.

 

[JohnSmith69]

Hi Snapster

Yes I'm trying to edit the domain policy. I have done exactly the steps you mentioned on I still get the following error message:

"Failed to open the Group Policy Object. You may not have appropriate rights"
"Details: The system cannot find the path specified"

I did move the Primary Domain Controller to the DC branch and also the Backup DC to the DC branch. I think I accidentally moved them out from here when I did a clean up within AD. Surely by moving them out of the DC branch does not affect any of the security or edit settings? How to I gain access to the policy editor?

Thank you

 

[Snapster]

Even if you are down as an Administrator you have to be member of the Domain Admins and Group Policy Creator Owners group I think to be able to edit a domain policy. The security settings of the domain policy (properties/security tab) should also have the appropriate settings set to allow you to open/view the policy. If it's just permissions then that should enable you to get there.

Check that the policy file actually exists on your domain as well:

\\Domain_Name.com\sysvol\Domain_Name.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini

If you've done something to the default domain policy you might have to force create a new one. I hope you've not messed up the AD tree too much with the clean up.

 

[stash]

Surely by moving them out of the DC branch does not affect any of the security or edit settings?

Yikes. Moving DCs out the of the DCs OU is Very Bad. I would guess the user rights assigments are all FUBAR'ed on your DCs, which among other things, means you can't read GPOs. Which means, not only can't you edit them, but they won't apply to the DCs. So the critical GPO containing the correct user rights for the DCs (default domain controller GPO) will never get applied.

You're going to need to edit the local policy on a DC and manually set some user rights assignments to see if you can get it to read and apply domain GPOs again. The ones I would start with are Access This Computer From the Network (should be Administrators and Authenticated Users at a minimum) and Bypass Traverse Checking (Administrators, Authenticated Users, at a minimum).

I am cringing at the thought of what other changes you made to AD...

User rights are under computer config, windows settings, security settings, local policies, user rights assignments.

 

[JohnSmith69]

I am in both the Domain Admin and Group Policy Creator groups. However, when I click on any of the group policy objects I get the error: The system cannot find the path specified

In the delegation tab, I can see Domain Admins with Edit settings, delete, modify security.

Where else can I go from here?

I've also looked in the:

\\Domain_Name.com\sysvol\Domain_Name.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini

However I'm unable to see anything in both the Primary Domain Controller and also the Backup Domain Controller.