Security Policy Is not opening.

G

Guest

Hi

I have Win2000 Domain Controller logged in as domain administrators.

Problem is : I could not able to open Domain Security Policy or Domain
Controller Security Policy. We would like to apply some policies. But Domain
Default Policy Editor is not opening at all.

Its showing a message like "you dont have appropriate permissions.
Details : The System Cannot find path." That is the message i m getting
whenever i tried to open Domain Security Policy and Domain Security Policy.

Please help me in this.

Thanks and Regards
Rajam.
 
S

Steven L Umbach

That could be a dns problem or a problem with the existence of the sysvol
share or permissions for it. From any domain computer you should be able to
access the sysvol share by entering in the run box
\\domaincontrollername\sysvol. Run the support tools netdiag and dcdiag on
the domain controller looking for pertinent problems and also check Event
Viewer for Event ID's than may detail a related problem. Support tools are
on the install disk in the support/tools folder. See the link below on dns
to make sure your dns is correctly configured for the domain and NEVER list
an ISP dns server as a preferred dns server in tcp/ip properties of any
domain computer or computer you are trying to join to the domain. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
 
G

Guest

Hi Steven

Thanx for your kind suggestion. But we tried Netdiag and Dcdiag tools. But
we couldn't find any problems in it. We are not using ISP IP as DNS server
address. What we are suspecting is might be some policies are applied on
Administrator account. Pls kindly let me know is there any other solution to
opening Security Policies like Domain Security Policy and Domain Controller
Security Policy in Domain Controller or Additional Domain Controller.
Waiting for your reply.

Thanks and Regards
Rajam
 
S

Steven L Umbach

Well good to hear that your dns seems to working correctly. See if anything
unusual shows in the application or system logs in Event Viewer and try
accessing the sysvol share as I explained before to see first if you can
access it and then if you can try to navigate to those policies via domain
name\policies\31B2F....\machine\Microsoft\Windows NT\SecEdit where you
should see and be able to open the GptTmpl.inf file there. The policy
starting 31B2F.... is the default domain Group Policy. Also try running the
support tool gpotool to see if it shows at least two Group Policies and if
any problems are reported as far as version numbers. Another thing to check
is to Use Active Directory Users and Computers. Then find your domain, right
click and select properties/Group Policy where you should see default domain
policy. For it select properties/security to make sure that domain admins
have necessary permissions which need to be at least read and write to edit
the Group Policy. Verify that domain admins global group is a member of the
administrators group and that you are logged on as a member of the domain
admins group. --- Steve
 
G

Guest

Hi Steven

Thanks for your reply. Actually we checked for that policy which u mentioned
previously. Actually we dint find that policy in the Domain Controllers
Sysvol folder. If we try to change the settings of Default Domain Policy
properties also its saying u cannot access that file. We ran GPOTool also. It
has given some errors on this Default Domain Policy. I am sending that report
with this mail. Pls look into it and give me the suggestion on this. Is it
possible to create that Domain Default Policy. If its possible pls give me
the clear procedure for that. Waiting for your reply. Pls find the GPO Report.
This is the report we got it when we ran GPOTool.

Domain: sprosys.com
Validating DCs...
spro.sprosys.com: OK
softpro.sprosys.com: OK
Available DCs:
spro.sprosys.com
softpro.sprosys.com
Searching for policies...
Found 7 policies
============================================================
Policy {0196EEA9-48D4-480E-8961-2E5E2C35D891}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:01:39 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {07DDE52B-4D39-4007-BB66-B37887143BE7}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:01:29 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {277C0E32-FC88-483F-BD63-EDA7DBA00770}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:01:22 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}, error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}, error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:28:50 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:29:56 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {5176A5A6-48DD-4A96-8405-A815C10B7EA8}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:01:08 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}, error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}, error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:01:01 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {E3668F2C-D789-4A77-822D-DEABB4B9A657}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:00:51 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------

Errors found

Thanks and Regards
Rajam.
 
S

Steven L Umbach

Well it certainly looks like you have a problem with the two default
policies for domain and domain controller. One solution could be to an
authoritative restore of Active Directory from a System State backup from a
time before this problem occurred. if it is a fairly recent problem then
that may be a good solution assuming you have the System State backups.
Another possibility that I can think of is to use a free tool from Microsoft
to rebuild those two policies called RecreateDefpol.EX. The link for it is
below and be sure to read the instructions and warnings. That is what I
would try. You may however want to post in the Active Directory newsgroup to
see if they have any further suggestions or alternatives. --- Steve

http://www.microsoft.com/downloads/...ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Varadarajam said:
Hi Steven

Thanks for your reply. Actually we checked for that policy which u
mentioned
previously. Actually we dint find that policy in the Domain Controllers
Sysvol folder. If we try to change the settings of Default Domain Policy
properties also its saying u cannot access that file. We ran GPOTool also.
It
has given some errors on this Default Domain Policy. I am sending that
report
with this mail. Pls look into it and give me the suggestion on this. Is it
possible to create that Domain Default Policy. If its possible pls give me
the clear procedure for that. Waiting for your reply. Pls find the GPO
Report.
This is the report we got it when we ran GPOTool.

Domain: sprosys.com
Validating DCs...
spro.sprosys.com: OK
softpro.sprosys.com: OK
Available DCs:
spro.sprosys.com
softpro.sprosys.com
Searching for policies...
Found 7 policies
============================================================
Policy {0196EEA9-48D4-480E-8961-2E5E2C35D891}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:01:39 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {07DDE52B-4D39-4007-BB66-B37887143BE7}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:01:29 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {277C0E32-FC88-483F-BD63-EDA7DBA00770}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:01:22 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:28:50 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:29:56 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {5176A5A6-48DD-4A96-8405-A815C10B7EA8}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:01:08 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:01:01 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {E3668F2C-D789-4A77-822D-DEABB4B9A657}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:00:51 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------

Errors found

Thanks and Regards
Rajam.


Steven L Umbach said:
Well good to hear that your dns seems to working correctly. See if
anything
unusual shows in the application or system logs in Event Viewer and try
accessing the sysvol share as I explained before to see first if you can
access it and then if you can try to navigate to those policies via
domain
name\policies\31B2F....\machine\Microsoft\Windows NT\SecEdit where you
should see and be able to open the GptTmpl.inf file there. The policy
starting 31B2F.... is the default domain Group Policy. Also try running
the
support tool gpotool to see if it shows at least two Group Policies and
if
any problems are reported as far as version numbers. Another thing to
check
is to Use Active Directory Users and Computers. Then find your domain,
right
click and select properties/Group Policy where you should see default
domain
policy. For it select properties/security to make sure that domain admins
have necessary permissions which need to be at least read and write to
edit
the Group Policy. Verify that domain admins global group is a member of
the
administrators group and that you are logged on as a member of the domain
admins group. --- Steve
Click to expand...
Click to expand...
 
G

Guest

Hi steve

Thanks for ur response. Actually we dont wanna do Authrotative Restore.
Because we dont know when the problem has started. We have made lot of
changes recently in our DC like creation of users and other share and
Security permissions. If we go for authoratative restore everything what we
have done recently we will lose.
About that tool which is specified by you, How much is safety is there?
Plase advise me which is the best way to restore our Default Domain
Policies... Waiting for your reply.

Thanks and Regards
Varadarajam.

Steven L Umbach said:
Well it certainly looks like you have a problem with the two default
policies for domain and domain controller. One solution could be to an
authoritative restore of Active Directory from a System State backup from a
time before this problem occurred. if it is a fairly recent problem then
that may be a good solution assuming you have the System State backups.
Another possibility that I can think of is to use a free tool from Microsoft
to rebuild those two policies called RecreateDefpol.EX. The link for it is
below and be sure to read the instructions and warnings. That is what I
would try. You may however want to post in the Active Directory newsgroup to
see if they have any further suggestions or alternatives. --- Steve

http://www.microsoft.com/downloads/...ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Varadarajam said:
Hi Steven

Thanks for your reply. Actually we checked for that policy which u
mentioned
previously. Actually we dint find that policy in the Domain Controllers
Sysvol folder. If we try to change the settings of Default Domain Policy
properties also its saying u cannot access that file. We ran GPOTool also.
It
has given some errors on this Default Domain Policy. I am sending that
report
with this mail. Pls look into it and give me the suggestion on this. Is it
possible to create that Domain Default Policy. If its possible pls give me
the clear procedure for that. Waiting for your reply. Pls find the GPO
Report.
This is the report we got it when we ran GPOTool.

Domain: sprosys.com
Validating DCs...
spro.sprosys.com: OK
softpro.sprosys.com: OK
Available DCs:
spro.sprosys.com
softpro.sprosys.com
Searching for policies...
Found 7 policies
============================================================
Policy {0196EEA9-48D4-480E-8961-2E5E2C35D891}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:01:39 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {07DDE52B-4D39-4007-BB66-B37887143BE7}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:01:29 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {277C0E32-FC88-483F-BD63-EDA7DBA00770}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:01:22 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:28:50 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:29:56 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {5176A5A6-48DD-4A96-8405-A815C10B7EA8}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:01:08 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:01:01 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {E3668F2C-D789-4A77-822D-DEABB4B9A657}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:00:51 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------

Errors found

Thanks and Regards
Rajam.


Steven L Umbach said:
Well good to hear that your dns seems to working correctly. See if
anything
unusual shows in the application or system logs in Event Viewer and try
accessing the sysvol share as I explained before to see first if you can
access it and then if you can try to navigate to those policies via
domain
name\policies\31B2F....\machine\Microsoft\Windows NT\SecEdit where you
should see and be able to open the GptTmpl.inf file there. The policy
starting 31B2F.... is the default domain Group Policy. Also try running
the
support tool gpotool to see if it shows at least two Group Policies and
if
any problems are reported as far as version numbers. Another thing to
check
is to Use Active Directory Users and Computers. Then find your domain,
right
click and select properties/Group Policy where you should see default
domain
policy. For it select properties/security to make sure that domain admins
have necessary permissions which need to be at least read and write to
edit
the Group Policy. Verify that domain admins global group is a member of
the
administrators group and that you are logged on as a member of the domain
admins group. --- Steve


Hi Steven
Click to expand...
Click to expand...
Click to expand...
 
S

Steven L Umbach

Microsoft advices the use of RecreateDefpol.EXE as a last resort option. I
have tested it in a test domain and for me it worked fine. What you could do
is to make a current System State backup and then try RecreateDefpol.EXE. If
some sort of problem arises you could always restore that System State
backup and you will at least be back to where you are now. If you have a
test network with a domain controller or can whip one up, try
RecreateDefpol.EXE so you can know what to expect from it. --- Steve


Varadarajam said:
Hi steve

Thanks for ur response. Actually we dont wanna do Authrotative Restore.
Because we dont know when the problem has started. We have made lot of
changes recently in our DC like creation of users and other share and
Security permissions. If we go for authoratative restore everything what
we
have done recently we will lose.
About that tool which is specified by you, How much is safety is there?
Plase advise me which is the best way to restore our Default Domain
Policies... Waiting for your reply.

Thanks and Regards
Varadarajam.

Steven L Umbach said:
Well it certainly looks like you have a problem with the two default
policies for domain and domain controller. One solution could be to an
authoritative restore of Active Directory from a System State backup from
a
time before this problem occurred. if it is a fairly recent problem then
that may be a good solution assuming you have the System State backups.
Another possibility that I can think of is to use a free tool from
Microsoft
to rebuild those two policies called RecreateDefpol.EX. The link for it
is
below and be sure to read the instructions and warnings. That is what I
would try. You may however want to post in the Active Directory newsgroup
to
see if they have any further suggestions or alternatives. --- Steve

http://www.microsoft.com/downloads/...ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Varadarajam said:
Hi Steven

Thanks for your reply. Actually we checked for that policy which u
mentioned
previously. Actually we dint find that policy in the Domain Controllers
Sysvol folder. If we try to change the settings of Default Domain
Policy
properties also its saying u cannot access that file. We ran GPOTool
also.
It
has given some errors on this Default Domain Policy. I am sending that
report
with this mail. Pls look into it and give me the suggestion on this. Is
it
possible to create that Domain Default Policy. If its possible pls give
me
the clear procedure for that. Waiting for your reply. Pls find the GPO
Report.
This is the report we got it when we ran GPOTool.

Domain: sprosys.com
Validating DCs...
spro.sprosys.com: OK
softpro.sprosys.com: OK
Available DCs:
spro.sprosys.com
softpro.sprosys.com
Searching for policies...
Found 7 policies
============================================================
Policy {0196EEA9-48D4-480E-8961-2E5E2C35D891}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:01:39 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {07DDE52B-4D39-4007-BB66-B37887143BE7}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:01:29 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {277C0E32-FC88-483F-BD63-EDA7DBA00770}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:01:22 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:28:50 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:29:56 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {5176A5A6-48DD-4A96-8405-A815C10B7EA8}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:01:08 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:01:01 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {E3668F2C-D789-4A77-822D-DEABB4B9A657}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:00:51 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------

Errors found

Thanks and Regards
Rajam.


:

Well good to hear that your dns seems to working correctly. See if
anything
unusual shows in the application or system logs in Event Viewer and
try
accessing the sysvol share as I explained before to see first if you
can
access it and then if you can try to navigate to those policies via
domain
name\policies\31B2F....\machine\Microsoft\Windows NT\SecEdit where you
should see and be able to open the GptTmpl.inf file there. The policy
starting 31B2F.... is the default domain Group Policy. Also try
running
the
support tool gpotool to see if it shows at least two Group Policies
and
if
any problems are reported as far as version numbers. Another thing to
check
is to Use Active Directory Users and Computers. Then find your domain,
right
click and select properties/Group Policy where you should see default
domain
policy. For it select properties/security to make sure that domain
admins
have necessary permissions which need to be at least read and write to
edit
the Group Policy. Verify that domain admins global group is a member
of
the
administrators group and that you are logged on as a member of the
domain
admins group. --- Steve


Hi Steven
Click to expand...
Click to expand...
Click to expand...
 
G

Guest

Hi Steve

Thanks for your reply. Actually we tried with a new test domain. Then we
tried with this tool., It worked fine. I got that Security Policies back.
Then i installed it on our main DC. Nothing wrong happned. We got our Defualt
Domain Policy back. But we need to apply some policies then, we need to check
these are applying or not. Let see.. Anyhave we really very thank ful to u
Mr.Steven that u have spent lot of time on our problem. Thank you very much.
i will get back to you soon.

Varadarajam.

Steven L Umbach said:
Microsoft advices the use of RecreateDefpol.EXE as a last resort option. I
have tested it in a test domain and for me it worked fine. What you could do
is to make a current System State backup and then try RecreateDefpol.EXE. If
some sort of problem arises you could always restore that System State
backup and you will at least be back to where you are now. If you have a
test network with a domain controller or can whip one up, try
RecreateDefpol.EXE so you can know what to expect from it. --- Steve


Varadarajam said:
Hi steve

Thanks for ur response. Actually we dont wanna do Authrotative Restore.
Because we dont know when the problem has started. We have made lot of
changes recently in our DC like creation of users and other share and
Security permissions. If we go for authoratative restore everything what
we
have done recently we will lose.
About that tool which is specified by you, How much is safety is there?
Plase advise me which is the best way to restore our Default Domain
Policies... Waiting for your reply.

Thanks and Regards
Varadarajam.

Steven L Umbach said:
Well it certainly looks like you have a problem with the two default
policies for domain and domain controller. One solution could be to an
authoritative restore of Active Directory from a System State backup from
a
time before this problem occurred. if it is a fairly recent problem then
that may be a good solution assuming you have the System State backups.
Another possibility that I can think of is to use a free tool from
Microsoft
to rebuild those two policies called RecreateDefpol.EX. The link for it
is
below and be sure to read the instructions and warnings. That is what I
would try. You may however want to post in the Active Directory newsgroup
to
see if they have any further suggestions or alternatives. --- Steve

http://www.microsoft.com/downloads/...ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Hi Steven

Thanks for your reply. Actually we checked for that policy which u
mentioned
previously. Actually we dint find that policy in the Domain Controllers
Sysvol folder. If we try to change the settings of Default Domain
Policy
properties also its saying u cannot access that file. We ran GPOTool
also.
It
has given some errors on this Default Domain Policy. I am sending that
report
with this mail. Pls look into it and give me the suggestion on this. Is
it
possible to create that Domain Default Policy. If its possible pls give
me
the clear procedure for that. Waiting for your reply. Pls find the GPO
Report.
This is the report we got it when we ran GPOTool.

Domain: sprosys.com
Validating DCs...
spro.sprosys.com: OK
softpro.sprosys.com: OK
Available DCs:
spro.sprosys.com
softpro.sprosys.com
Searching for policies...
Found 7 policies
============================================================
Policy {0196EEA9-48D4-480E-8961-2E5E2C35D891}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:01:39 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {07DDE52B-4D39-4007-BB66-B37887143BE7}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:01:29 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {277C0E32-FC88-483F-BD63-EDA7DBA00770}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:01:22 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:28:50 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:29:56 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {5176A5A6-48DD-4A96-8405-A815C10B7EA8}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:01:08 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:01:01 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {E3668F2C-D789-4A77-822D-DEABB4B9A657}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:00:51 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------

Errors found

Thanks and Regards
Click to expand...
Click to expand...
Click to expand...
 
S

Steven L Umbach

Excellent. Glad to help and thanks for posting back your results! --- Steve


Varadarajam said:
Hi Steve

Thanks for your reply. Actually we tried with a new test domain. Then we
tried with this tool., It worked fine. I got that Security Policies back.
Then i installed it on our main DC. Nothing wrong happned. We got our
Defualt
Domain Policy back. But we need to apply some policies then, we need to
check
these are applying or not. Let see.. Anyhave we really very thank ful to u
Mr.Steven that u have spent lot of time on our problem. Thank you very
much.
i will get back to you soon.

Varadarajam.

Steven L Umbach said:
Microsoft advices the use of RecreateDefpol.EXE as a last resort option.
I
have tested it in a test domain and for me it worked fine. What you could
do
is to make a current System State backup and then try RecreateDefpol.EXE.
If
some sort of problem arises you could always restore that System State
backup and you will at least be back to where you are now. If you have a
test network with a domain controller or can whip one up, try
RecreateDefpol.EXE so you can know what to expect from it. --- Steve


Varadarajam said:
Hi steve

Thanks for ur response. Actually we dont wanna do Authrotative Restore.
Because we dont know when the problem has started. We have made lot of
changes recently in our DC like creation of users and other share and
Security permissions. If we go for authoratative restore everything
what
we
have done recently we will lose.
About that tool which is specified by you, How much is safety is there?
Plase advise me which is the best way to restore our Default Domain
Policies... Waiting for your reply.

Thanks and Regards
Varadarajam.

:

Well it certainly looks like you have a problem with the two default
policies for domain and domain controller. One solution could be to an
authoritative restore of Active Directory from a System State backup
from
a
time before this problem occurred. if it is a fairly recent problem
then
that may be a good solution assuming you have the System State
backups.
Another possibility that I can think of is to use a free tool from
Microsoft
to rebuild those two policies called RecreateDefpol.EX. The link for
it
is
below and be sure to read the instructions and warnings. That is what
I
would try. You may however want to post in the Active Directory
newsgroup
to
see if they have any further suggestions or alternatives. --- Steve

http://www.microsoft.com/downloads/...ae-b7dd-4bb5-ab2a-976d6873129d&displaylang=en

Hi Steven

Thanks for your reply. Actually we checked for that policy which u
mentioned
previously. Actually we dint find that policy in the Domain
Controllers
Sysvol folder. If we try to change the settings of Default Domain
Policy
properties also its saying u cannot access that file. We ran GPOTool
also.
It
has given some errors on this Default Domain Policy. I am sending
that
report
with this mail. Pls look into it and give me the suggestion on this.
Is
it
possible to create that Domain Default Policy. If its possible pls
give
me
the clear procedure for that. Waiting for your reply. Pls find the
GPO
Report.
This is the report we got it when we ran GPOTool.

Domain: sprosys.com
Validating DCs...
spro.sprosys.com: OK
softpro.sprosys.com: OK
Available DCs:
spro.sprosys.com
softpro.sprosys.com
Searching for policies...
Found 7 policies
============================================================
Policy {0196EEA9-48D4-480E-8961-2E5E2C35D891}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: AccountTracking
Created: 4/26/2005 6:22:38 AM
Changed: 4/28/2005 10:01:39 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {07DDE52B-4D39-4007-BB66-B37887143BE7}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:24:50 PM
Changed: 4/28/2005 10:01:29 AM
DS version: 33(user) 3(machine)
Sysvol version: 33(user) 3(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC-0000F87571E3}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {277C0E32-FC88-483F-BD63-EDA7DBA00770}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Terminal
Created: 2/28/2005 2:23:24 PM
Changed: 4/28/2005 10:01:22 AM
DS version: 0(user) 0(machine)
Sysvol version: 0(user) 0(machine)
Flags: 0
User extensions: not found
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{31B2F340-016D-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:28:50 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/30/2005 7:29:56 AM
DS version: 1(user) 3(machine)
Sysvol version: not found
Flags: 0
User extensions:
[{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {5176A5A6-48DD-4A96-8405-A815C10B7EA8}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: terminal
Created: 2/28/2005 12:22:15 PM
Changed: 4/28/2005 10:01:08 AM
DS version: 1(user) 0(machine)
Sysvol version: 1(user) 0(machine)
Flags: 0
User extensions:
[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Error: Cannot access
\\spro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Error: Cannot access
\\softpro.sprosys.com\sysvol\sprosys.com\policies\{6AC1786C-016F-11D2-945F-00C04FB984F9},
error 2
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: Default Domain Controllers Policy
Created: 10/12/2004 4:37:20 PM
Changed: 4/28/2005 10:01:01 AM
DS version: 0(user) 4(machine)
Sysvol version: not found
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {E3668F2C-D789-4A77-822D-DEABB4B9A657}
Policy OK
Details:
------------------------------------------------------------
DC: spro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:05:15 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: softpro.sprosys.com
Friendly name: New Group Policy Object
Created: 4/27/2005 3:54:32 AM
Changed: 4/28/2005 10:00:51 AM
DS version: 0(user) 34(machine)
Sysvol version: 0(user) 34(machine)
Flags: 0
User extensions: not found
Machine extensions:
[{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
Functionality version: 2
------------------------------------------------------------

Errors found

Thanks and Regards
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

domain security policy 6
Can't open domain security policy in AD when primary domain controller is turned off 7
Object Access Audit Policy for a Domain 4
Domain Controller Security Policy vs. Domain Security Policy? 1
Local Security Policy on a DC 6
user and administrator policies 2
DOMAIN SECURITY GROUP POLICY 3
Kerberos policy on Windows 2000 domain controllers 1

Top