error when trying to get a remote security policy... Please help!!!

[Rob Roberts]

I have a PC connected to the LAN and I have local admin rights on this PC.
I can connect using admin shares, I can alter the Users and Groups using the
Computer Management tool and perform just about every other administrator
task but when I try to view the Group Policy in effect on the PC I get the
following message:
Title: "Group Policy Error."
Contents: "Failed to open the Group Policy Object on ... You may not have
appropriate rights."
I am trying to access the Group Policy by using the gpedit tool with command
line switches. Does anyone have any ideas as to how I can reset the current
policy remotely? How could the user prevent an admin from accessing the
Group Policy object on that PC? Anything would help PLEASE!!
Cheers,
Jeff Beach.

 

[Steven Umbach]

From a remote computer try using mmc Group Policy snapin - other computer and
browse or enter the target computers name/IP address. You will have to be logged
onto the remote computer with an account that has admin credentials on the
computer you are trying to access. --- Steve

 

[Rob Roberts]

Steve,
I have tried that and I get the message that I mentioned below. I do have
admin access on the PC that I am logged into and on the PC that I am trying
to get the security policy from, infact I have network admin access. I am
using the command line: gpedit.msc /gpcomputer:"PC_Name" but I keep
getting the error "Failed to open Group Policy Object on... You may not
have appropriate rights." Any ideas as to what may be happening? Or how I
can force the Group Policy to reset ... or something like that? Is there
some way that the user could use the Local Security Policy to override any
others from coming in and changing it? Any ideas would help!!
Thanks,
Jeff Beach.

 

[Steven L Umbach]

Are there any messages in Event Viewer that may indicate a problem such as a
corrupt secedit.sdb log?? Is this a domain machine? A regular user can not
change local security/policy settings to lock you out but someome with admin
credentials could. I would also check ntfs permissions via administrative
share to \winnt folder, \winnt\security folder, \winnt\system 32 folder, and
\winnt\system32\group policy folders to see that that you have proper
permissions. Also check permissions on the mmc.exe file. I understand you
only have remote access to this computer and not to the console? --- Steve

 

[Steven L Umbach]

Also check that you indeed are trying to access the computer with local
admin credentials. If the computer has been "hacked" by local user, etc your
account may have been removed from the local admin group. If you can access
the security logs remotely via Computer Management - other computer/Event
Viewer, then you know you have admin rights on that computer. --- Steve

 

[Rob Roberts]

Steven,
There are no messages in the Event Viewer that I can see. Yes this PC is
a domain machine. As for the rights on the directories that you
mentioned, I have full admin rights on the directories. As well as full
admin rights on the mmc.exe file. Assuming that the PC realizes that I am
contained within the local Administrators group, but I don't see how I would
get access if I didn't have the rights. Yup, I only have remote access.
It's a real pain in the arse, but it's all that I have. Any other
ideas!?...
Thanks.

 

[Rob Roberts]

Steve,
I can access the PC and the security logs remotely, I can add/remove users
from the local Administrators group and perform all other functions that
require administrator access. I cannot figure this out...
Cheers.

 

[Steven L Umbach]

Hmm. Can you access the local Group Policy on the machine you are trying to
access from?? Are you having the same problem trying to access local Group
Policy on other machines or just this one? I have not tried this myself but
try using PsExec from Sysinternals to run gpresult on that machine remotely
to see what it reports. If you use the gpresult /u /v command you will get
more specific info on what user policies are being applied.

http://support.microsoft.com/default.aspx?scid=kb;en-us;321709 -- gpresult
http://www.sysinternals.com/ntw2k/freeware/psexec.shtml -- psexec

 

[Rob Roberts]

Steven,
Nope I cannot access the Local Security Policy either, remotely or while
sitting infront of the PC. This seems to be the only machine that this
happens to. I can edit my Local/Group Policy and all others but this
machine. I have not tried the tools that you suggested yet and I will
today. I just thought that I would send some more information in the off
chance that it helps. Let me know and I will let you know when I try the
tools.
Cheers.

 

[Steven L Umbach]

Running gpresult on that computer will help in telling you where policy is
being applied from and gpresult /u /v will further show what user
configuration policies are being applied. It also may be possible that there
is corruption of the local policies on that machine, hopefully gpresult
would report that. Se the link below for a registry mod to registry that may
work. It may also help, if nothing else works, to try and rename the two
registry.pol files in the \winnt\system32\group policy\user and \machine
folders and then rebooting [new ones will be created at first attempt to
configure local Group Policy or copy ones from a like good workstation] and
also copying a secedit.sdb file from a like configured good workstation to
the \winnt\security\dtatbase folder after renaming the old one. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;it;263166 -- this worked
for me on a workstation.