Failed to Open the Group Policy Object

D

David Sapery

When I try to edit a GPO from my XP SP1 computer using AD Users & Computers
| Properties | Group Policy | Edit, I get the following error message for
ANY of the GPO's:

Group Policy Error:

Failed to open the Group Policy Object. You may not have appropriate
rights.

Details: The parameter is incorrect.

This error occurs regardless of whether I'm logged into the XP box as myself
(I'm a member of Domain Admins) or the domain Administrator account.

If I do this from the domain controller itself, I have no problem editing
the GPO.

There is nothing of note in the event logs.
 
D

David Sapery

I've discovered another quirk that might trigger something in someone's
head...

I get this error only when I try to access the GPO editor through DSA. If I
run MMC and add the gpedit snapin, I'm able to select a specific GPO and I
am able to edit it.
 
S

Steven L Umbach

Hi Dave.

Interesting that you can edit from one but not the other. I have not
experienced that myself but this is what I would check.

I would verify that only domain controllers are listed as preferred dns
servers in your computer's tcp/ip properties as shown by Ipconfig /all. If
any ISP dns servers are listed you can have erratic results if the ISP dns
server is used because of a lag in response from a domain controller. Also
run the netdiag support tool on your computer next time it happens to see if
any errors are reported relating to dclist, dns, kerberos, or secure channel
which could indicate a configuration problem or problem with the secure
channel/computer account. Enable logon events for at least failure in your
Domain Controller Security Policy and see if any logon failure is reported
in the log of a domain controller the next time this happens. The logon
failures often have helpful information as why a user was denied access. If
you are comfortable with a packet sniffer such as Ethereal, you might try to
install it on your XP computer and capture the packet exchange sequence for
when you try to edit GP to see if will give any clues as to being a
connectivity, name resolution, or authentication problem. SMB signing can be
a problem with a XP SP1 computer in a W2K domain but if you can map to an
administrative share on your domain controller as in \\dc1.mydomain.com\c$
, particularly the pdc fsmo, and move test files back and forth that is
unlikely to be the problem. If you can try to install Adminpak from Windows
2003 on another XP SP1 domain computer, having the same dns preferred
servers as your problem computer, to see what happens. Keep in mind that XP
Pro can use stored credentials that can cause problems on occasion though I
am not sure why one method of editing GP would work and one not but still
worth checking out as a leave no stone unturned troubleshooting method. ---
Steve

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prdp_log_vkxx.asp -
- XP stored credentials.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Failed to Open Group Policy Object - The Parameter is incorrect 4
Using Group Policy to define a Password Policy 1
cannot edit group policy in windows 2003 DC 1
Error : Failed to Open Group Policy Object 1
Failed to open the group policy object 8
local security policy does not get applied 2
Failed to open Group Policy Object 3
Can't access default group policy 2

Top