Domain controller policy not acessable

  • Thread starter Thread starter SONY
  • Start date Start date
S

SONY

I am not able to acess the domain controller security
policy .It gives me error that either u donot have
permissions or it does not exist .I am logged with admin.I
am not able to creat a user in Ad and not able to join
cleiant to domain.

If any clue

Thanx

Sony
 
Hi Sony

If you can provide the exact error message that you're seeing and the
operating system of the DC(s), it will be a lot easier to provide advice.
Also, are you trying to access the policy from a Domain Controller itself or
from a client with the Admin tool installed?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
I have te same problem too. When i try to access the default domain controller SECURITY policy at the server i.e. local access, its gives an error stating that "Failed to open group policy object. You may not have appropriate rights. Details: The system could not find the specified path." Then a console open with a red X marked at the root of the console.

I'm on enterprise Admin privilege. So I cannot create any policies pertaining only to domain controllers and fear that if I add a dc or demote a DC, this error could lead to massive problems.
 
Can either of you use explorer to browse to

%systemroot%\\SYSVOL\sysvol\<domain_name>\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}

or

%systemroot%\\SYSVOL\sysvol\<domain_name>\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}

Are these folders empty or do they contain data (besides a folder
structure)?

What operating system are the DC's?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
I have 2 DC. Both are on W2k SP4. Both the policy folders are there. The one with 016d has more contents in its sub folders compared to 016F. I know that one of it is the default domain policy and the other is default domain ctrl policy
The sub folder are adm,machine and user for both

for both 016d & 016
in Adm folder, I have conf,inetres and system, all with adm ex

For 016d, folder structur
root-Gpt.in
Machine(folder
App
Microsof
Win N
Secedit
GptTmpl.in
Script
Startu
Shutdow

Use
Document & settin
fdeploy.in
Script
Logo
Logof


For 016f, folder structur
root-gpt.in
Machine(folder
Microsof
Win N
Secedit
GptTmpl.in
User


That's i
 
Same here I have 2 dcs and the sysvol folder contains all
the policy folders as it is .One want to tell here that i
am on W2k server sp4.I am getting continues error after
each 2 minutes that source is Sam and Desc: The account-
identifier allocator failed to initialize properly. The
record data contains the NT error code that caused the
failure. Windows 2000 will retry the initialization until
it succeeds; until that time, account creation will be
denied on this Domain Controller. Please look for other
SAM event logs that may indicate the exact reason for the
failure.

I also want to tell that server was crashed few dayz back
and i reinstalled everything back and it was fine till
yesterday.Tommorow onwards i was not able to join a cleint
to domain.It is so crucial right now and i anot able creat
a user even the eror comming is Windows canot creat object
because directory service was unable to allocate relative
identifier.

I will apriciate if somebody can give me clue

With regards

Sony











I have 2 DC. Both are on W2k SP4. Both the policy folders
Click to expand...
are there. The one with 016d has more contents in its sub
folders compared to 016F. I know that one of it is the
default domain policy and the other is default domain ctrl
policy.
 
Hi Sony

This might be relevant:

839879 Event ID 16650: The account-identifier allocator failed to initialize
in
http://support.microsoft.com/?id=839879

If the issue is urgent, I'd suggest logging a support call with Microsoft so
that they can gather all relevant data and help you work through the issue.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Saravanan

Please provide a copy of the relevant events that you're seeing in the event
log. The whole event - ID and Description is best.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
mark, the problem is i don't get any error log when i access the default domain ctrl group policy. My dir srv , DNS & FRS logs are all clean. Therefore, i have to config a domain level policy even though I just want a domain ctrl level policy created. Another suggestion, can I copy this default domain ctrl policy from another DC which is not from my domain provided that it has not been editted?? Next can I created another policy to replace this default one which is problematic, providing I match all the policy info with the default one?

Thanks
 
Hi Saravanan

You can copy the default policy files from another installation of Windows
2000. Just make sure you match the {GUID} folders on each side of the copy
process.

If you were using Windows Server 2003, you could have used

dcgpofix /target:both

This rebuilds the default policies.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top