New Group Policy Using Windows 2000 Snap-in

[Guest]

Can you create and edit a new group policy using the Windows 2000 snap-in
after upgrading your PDC and other domain controllers to Windows Server 2003,
Standard Edition? When I try this it lets me add a new one, but when I click
Edit I get an error message: Failed to open the Group Policy Object. You
may not have appropriate rights. Details: The system cannot find the path
specified. It's looking for the file on the PDC, which is located in a
different site. Prior to upgrading to 2003 the PDC was in the same site I am
in. I am a domain administrator. Things appear to be working correctly
using the GPMC. Any help would be appreciated.

 

[Glenn L]

You can continue to administer GPO from W2K after you upgrade some or all
DCs to W2K3.

There are many reasons for this error.

Can you create and edit GPOs from the PDC itself.
Can you create and edit GPOs from other W2K3 DCs?

Does it only fail from a W2K system?
Is the W2K system a DC or a member server/workstation?

I bet you are seeing a mismatch with SMB signing requirements.
export HKLM\system\CCS\services\lanmanserver\parameters &
lanmanworkstation\parameters from both the PDC and your W2K management
station.
Paste into this thread identifying which is which.
We can see from this if there is a mismatch in the signing requirements.

 

[Guest]

Yes, I can create and edit GPOs from the PDC. I have mixed results when
creating and editing from others. When I created an edited from an upgraded
domain controller, at one point I received this error message when opening
Group Policy Management: The Enterprise Domain Controllers group must have
read access on all GPOs in the domain in order for Group Policy Modeling to
function properly. I can't even find that group to add it. However, when I
tried to create and edit a GPO on this same domain controller I received the
same error message as in my original post. On the PDC (which was upgraded to
W2K3) and a DC that was a fresh install I was able to create and edit a GPO
with no problem.

Initially I was trying to create and edit the policy from a Windows 2000
Workstation with Service Pack 4, and also from a W2K workstation with SP3.

Below are the registry exports you requested. The first two are from the
workstation and the second two from the PDC.

Well -- I did the export, but can't figure out how to paste them in here
(sorry, I've not used this forum much).

 

[Glenn L]

Just open the .reg file into notepad and cut and paste the contents.

 

[Guest]

Sorry for such a dumb question. I was expecting to be able to copy to .reg
file in here.

From the W2K workstation:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

From the W2K workstation:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f,\
00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\
00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\
54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\
00,6b,00,53,00,76,00,72,00,00,00,00,0
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,46,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:09,78,09,15,09,40,35,4b,ac,ed,78,3e,da,a3,8f,7c
"CachedOpenLimit"=dword:00000000

=======

From the PDC (upgrade from W2K to W2K3):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,6b,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

From the PDC:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001
"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f,\
00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\
45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\
00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\
54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\
00,6b,00,53,00,76,00,72,00,00,00,43,00,45,00,52,00,54,00,00,00,48,00,79,00,\
64,00,72,00,61,00,4c,00,73,00,50,00,69,00,70,00,65,00,00,00,54,00,65,00,72,\
00,6d,00,53,00,65,00,72,00,76,00,4c,00,69,00,63,00,65,00,6e,00,73,00,69,00,\
6e,00,67,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,50,00,4e,00,54,\
00,53,00,56,00,43,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,74,00,\
57,00,61,00,74,00,63,00,68,00,44,00,6f,00,67,00,00,00,00,0
"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,46,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000003
"Guid"=hex:bb,ef,94,6d,76,58,e2,40,aa,43,ed,fa,4d,1c,73,f4
"restrictnullsessaccess"=dword:00000001
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

 

[Glenn L]

Well, the results of this do not show a mismatch in SMB signing settings.
Perhaps the problem is actually a name DFS referal problem for accessing
sysvol.
Please verify the DFS service is running on all domain controllers.

Also, as a workaround, you can setup GPMC as your group policy managemtn
interface.
This allows you to edit a GPO by focusing on any domain controller you
choose.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security

Sorry for such a dumb question. I was expecting to be able to copy to ..reg
file in here.

From the W2K workstation:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]
"enableplaintextpassword"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

From the W2K workstation:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]

"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000

"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\

00,6b,00,53,00,76,00,72,00,00,00,00,00

"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:09,78,09,15,09,40,35,4b,ac,ed,78,3e,da,a3,8f,7c
"CachedOpenLimit"=dword:00000000

=======

From the PDC (upgrade from W2K to W2K3):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]

"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,6b,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

From the PDC:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]

"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001

"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\00,6b,00,53,00,76,00,72,00,00,00,43,00,45,00,52,00,54,00,00,00,48,00,79,00,\64,00,72,00,61,00,4c,00,73,00,50,00,69,00,70,00,65,00,00,00,54,00,65,00,72,\00,6d,00,53,00,65,00,72,00,76,00,4c,00,69,00,63,00,65,00,6e,00,73,00,69,00,\6e,00,67,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,50,00,4e,00,54,\00,53,00,56,00,43,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,74,00,\

57,00,61,00,74,00,63,00,68,00,44,00,6f,00,67,00,00,00,00,00

"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\

00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000003
"Guid"=hex:bb,ef,94,6d,76,58,e2,40,aa,43,ed,fa,4d,1c,73,f4
"restrictnullsessaccess"=dword:00000001

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

Just open the .reg file into notepad and cut and paste the contents.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


Modeling
to when
I received
the upgraded
to a
GPO or
all when
I Object.
You in
a same
site I

 

[Guest]

I checked the DFS on each domain controller, and it is running -- starts
automatically. I noticed that the dependencies on the server that was built
with 2003 and not upgraded has an additional dependency of Security Accounts
Manager, then RPC, along with Server and Workstation, while the domain
controllers that were upgraded from 2000 to 2003 only have Server and
Workstation.

How would I invoke the workaround since my workstation is running Windows
2000, SP4? Do you think Windows XP would behave any differently?

Well, the results of this do not show a mismatch in SMB signing settings.
Perhaps the problem is actually a name DFS referal problem for accessing
sysvol.
Please verify the DFS service is running on all domain controllers.

Also, as a workaround, you can setup GPMC as your group policy managemtn
interface.
This allows you to edit a GPO by focusing on any domain controller you
choose.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security

Sorry for such a dumb question. I was expecting to be able to copy to ..reg
file in here.

From the W2K workstation:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]
"enableplaintextpassword"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

From the W2K workstation:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]

"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000

"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\

00,6b,00,53,00,76,00,72,00,00,00,00,00

"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:09,78,09,15,09,40,35,4b,ac,ed,78,3e,da,a3,8f,7c
"CachedOpenLimit"=dword:00000000

=======

From the PDC (upgrade from W2K to W2K3):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]

"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,6b,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

From the PDC:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]

"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001

"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\00,6b,00,53,00,76,00,72,00,00,00,43,00,45,00,52,00,54,00,00,00,48,00,79,00,\64,00,72,00,61,00,4c,00,73,00,50,00,69,00,70,00,65,00,00,00,54,00,65,00,72,\00,6d,00,53,00,65,00,72,00,76,00,4c,00,69,00,63,00,65,00,6e,00,73,00,69,00,\6e,00,67,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,50,00,4e,00,54,\00,53,00,56,00,43,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,74,00,\

57,00,61,00,74,00,63,00,68,00,44,00,6f,00,67,00,00,00,00,00

"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\

00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000003
"Guid"=hex:bb,ef,94,6d,76,58,e2,40,aa,43,ed,fa,4d,1c,73,f4
"restrictnullsessaccess"=dword:00000001

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

Just open the .reg file into notepad and cut and paste the contents.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


Yes, I can create and edit GPOs from the PDC. I have mixed results when
creating and editing from others. When I created an edited from an
upgraded
domain controller, at one point I received this error message when opening
Group Policy Management: The Enterprise Domain Controllers group must
have
read access on all GPOs in the domain in order for Group Policy Modeling
to
function properly. I can't even find that group to add it. However, when
I
tried to create and edit a GPO on this same domain controller I received
the
same error message as in my original post. On the PDC (which was upgraded
to
W2K3) and a DC that was a fresh install I was able to create and edit a
GPO
with no problem.

Initially I was trying to create and edit the policy from a Windows 2000
Workstation with Service Pack 4, and also from a W2K workstation with SP3.

Below are the registry exports you requested. The first two are from the
workstation and the second two from the PDC.

Well -- I did the export, but can't figure out how to paste them in here
(sorry, I've not used this forum much).

:

You can continue to administer GPO from W2K after you upgrade some or
all
DCs to W2K3.

There are many reasons for this error.

Can you create and edit GPOs from the PDC itself.
Can you create and edit GPOs from other W2K3 DCs?

Does it only fail from a W2K system?
Is the W2K system a DC or a member server/workstation?

I bet you are seeing a mismatch with SMB signing requirements.
export HKLM\system\CCS\services\lanmanserver\parameters &
lanmanworkstation\parameters from both the PDC and your W2K management
station.
Paste into this thread identifying which is which.
We can see from this if there is a mismatch in the signing requirements.

--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


Can you create and edit a new group policy using the Windows 2000
snap-in
after upgrading your PDC and other domain controllers to Windows
Server
2003,
Standard Edition? When I try this it lets me add a new one, but when
I
click
Edit I get an error message: Failed to open the Group Policy Object.
You
may not have appropriate rights. Details: The system cannot find the
path
specified. It's looking for the file on the PDC, which is located in
a
different site. Prior to upgrading to 2003 the PDC was in the same
site I
am
in. I am a domain administrator. Things appear to be working
correctly
using the GPMC. Any help would be appreciated.

 

[Glenn L]

You must use XP or W2K3 to use GPMC.

http://support.microsoft.com/default.aspx?scid=kb;en-us;818735
http://support.microsoft.com/default.aspx?scid=kb;en-us;326469

--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security

I checked the DFS on each domain controller, and it is running -- starts
automatically. I noticed that the dependencies on the server that was built
with 2003 and not upgraded has an additional dependency of Security Accounts
Manager, then RPC, along with Server and Workstation, while the domain
controllers that were upgraded from 2000 to 2003 only have Server and
Workstation.

How would I invoke the workaround since my workstation is running Windows
2000, SP4? Do you think Windows XP would behave any differently?

Well, the results of this do not show a mismatch in SMB signing settings.
Perhaps the problem is actually a name DFS referal problem for accessing
sysvol.
Please verify the DFS service is running on all domain controllers.

Also, as a workaround, you can setup GPMC as your group policy managemtn
interface.
This allows you to edit a GPO by focusing on any domain controller you
choose.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security

Sorry for such a dumb question. I was expecting to be able to copy to ..reg
file in here.

From the W2K workstation:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]

"enableplaintextpassword"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

From the W2K workstation:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]

"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000

"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\ 00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\ 45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\ 00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\ 54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\

00,6b,00,53,00,76,00,72,00,00,00,00,00

"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\

00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:09,78,09,15,09,40,35,4b,ac,ed,78,3e,da,a3,8f,7c
"CachedOpenLimit"=dword:00000000

=======

From the PDC (upgrade from W2K to W2K3):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]

"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

77,00,6b,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

From the PDC:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]

"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001

"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\ 00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\ 45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\ 00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\ 54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\ 00,6b,00,53,00,76,00,72,00,00,00,43,00,45,00,52,00,54,00,00,00,48,00,79,00,\ 64,00,72,00,61,00,4c,00,73,00,50,00,69,00,70,00,65,00,00,00,54,00,65,00,72,\ 00,6d,00,53,00,65,00,72,00,76,00,4c,00,69,00,63,00,65,00,6e,00,73,00,69,00,\ 6e,00,67,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,50,00,4e,00,54,\ 00,53,00,56,00,43,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,74,00,\

57,00,61,00,74,00,63,00,68,00,44,00,6f,00,67,00,00,00,00,00

"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\

00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000003
"Guid"=hex:bb,ef,94,6d,76,58,e2,40,aa,43,ed,fa,4d,1c,73,f4
"restrictnullsessaccess"=dword:00000001

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\

73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

:

Just open the .reg file into notepad and cut and paste the contents.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


Yes, I can create and edit GPOs from the PDC. I have mixed

results
when

creating and editing from others. When I created an edited from an
upgraded
domain controller, at one point I received this error message when opening
Group Policy Management: The Enterprise Domain Controllers group must
have
read access on all GPOs in the domain in order for Group Policy Modeling
to
function properly. I can't even find that group to add it.

However,
when

I
tried to create and edit a GPO on this same domain controller I received
the
same error message as in my original post. On the PDC (which was upgraded
to
W2K3) and a DC that was a fresh install I was able to create and

edit
a

GPO
with no problem.

Initially I was trying to create and edit the policy from a

Windows
2000

Workstation with Service Pack 4, and also from a W2K workstation

with
SP3.

Below are the registry exports you requested. The first two are

from
the

workstation and the second two from the PDC.

Well -- I did the export, but can't figure out how to paste them

in
here

(sorry, I've not used this forum much).

:

You can continue to administer GPO from W2K after you upgrade

some
or

all
DCs to W2K3.

There are many reasons for this error.

Can you create and edit GPOs from the PDC itself.
Can you create and edit GPOs from other W2K3 DCs?

Does it only fail from a W2K system?
Is the W2K system a DC or a member server/workstation?

I bet you are seeing a mismatch with SMB signing requirements.
export HKLM\system\CCS\services\lanmanserver\parameters &
lanmanworkstation\parameters from both the PDC and your W2K management
station.
Paste into this thread identifying which is which.
We can see from this if there is a mismatch in the signing requirements.

--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


Can you create and edit a new group policy using the Windows 2000
snap-in
after upgrading your PDC and other domain controllers to Windows
Server
2003,
Standard Edition? When I try this it lets me add a new one,

but
when

I
click
Edit I get an error message: Failed to open the Group Policy Object.
You
may not have appropriate rights. Details: The system cannot

find
the

path
specified. It's looking for the file on the PDC, which is

located
in

a
different site. Prior to upgrading to 2003 the PDC was in the same
site I
am
in. I am a domain administrator. Things appear to be working
correctly
using the GPMC. Any help would be appreciated.

 

[Guest]

Thanks for trying to help me resolve this. Please let me know if you think
of anything else. At this point I guess we'll just have to log on to the
domain controller if we need to add a new policy. Should it make a
difference if we were members of the Enterprise Administrators group?

You must use XP or W2K3 to use GPMC.

http://support.microsoft.com/default.aspx?scid=kb;en-us;818735
http://support.microsoft.com/default.aspx?scid=kb;en-us;326469

--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security

I checked the DFS on each domain controller, and it is running -- starts
automatically. I noticed that the dependencies on the server that was built
with 2003 and not upgraded has an additional dependency of Security Accounts
Manager, then RPC, along with Server and Workstation, while the domain
controllers that were upgraded from 2000 to 2003 only have Server and
Workstation.

How would I invoke the workaround since my workstation is running Windows
2000, SP4? Do you think Windows XP would behave any differently?

Well, the results of this do not show a mismatch in SMB signing settings.
Perhaps the problem is actually a name DFS referal problem for accessing
sysvol.
Please verify the DFS service is running on all domain controllers.

Also, as a workaround, you can setup GPMC as your group policy managemtn
interface.
This allows you to edit a GPO by focusing on any domain controller you
choose.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


Sorry for such a dumb question. I was expecting to be able to copy to
..reg
file in here.

From the W2K workstation:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]
"enableplaintextpassword"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

From the W2K workstation:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000000
"requiresecuritysignature"=dword:00000000

"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\

00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\

45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\

00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\

54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\
00,6b,00,53,00,76,00,72,00,00,00,00,00

"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000001
"Guid"=hex:09,78,09,15,09,40,35,4b,ac,ed,78,3e,da,a3,8f,7c
"CachedOpenLimit"=dword:00000000

=======

From the PDC (upgrade from W2K to W2K3):


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\para
meters]
"enableplaintextpassword"=dword:00000000
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000000
"OtherDomains"=hex(7):00,00

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\

00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
77,00,6b,00,73,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

From the PDC:


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameter
s]
"autodisconnect"=dword:0000000f
"enableforcedlogoff"=dword:00000001
"enablesecuritysignature"=dword:00000001
"requiresecuritysignature"=dword:00000001

"NullSessionPipes"=hex(7):43,00,4f,00,4d,00,4e,00,41,00,50,00,00,00,43,00,4f
,\

00,4d,00,4e,00,4f,00,44,00,45,00,00,00,53,00,51,00,4c,00,5c,00,51,00,55,00,\

45,00,52,00,59,00,00,00,53,00,50,00,4f,00,4f,00,4c,00,53,00,53,00,00,00,45,\

00,50,00,4d,00,41,00,50,00,50,00,45,00,52,00,00,00,4c,00,4f,00,43,00,41,00,\

54,00,4f,00,52,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,54,00,72,\

00,6b,00,53,00,76,00,72,00,00,00,43,00,45,00,52,00,54,00,00,00,48,00,79,00,\

64,00,72,00,61,00,4c,00,73,00,50,00,69,00,70,00,65,00,00,00,54,00,65,00,72,\

00,6d,00,53,00,65,00,72,00,76,00,4c,00,69,00,63,00,65,00,6e,00,73,00,69,00,\

6e,00,67,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,50,00,4e,00,54,\

00,53,00,56,00,43,00,00,00,54,00,4d,00,52,00,50,00,43,00,5c,00,53,00,74,00,\
57,00,61,00,74,00,63,00,68,00,44,00,6f,00,67,00,00,00,00,00

"NullSessionShares"=hex(7):43,00,4f,00,4d,00,43,00,46,00,47,00,00,00,44,00,4
6,\
00,53,00,24,00,00,00,00,00
"Lmannounce"=dword:00000000
"Size"=dword:00000003
"Guid"=hex:bb,ef,94,6d,76,58,e2,40,aa,43,ed,fa,4d,1c,73,f4
"restrictnullsessaccess"=dword:00000001

"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f
,\

00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
73,00,72,00,76,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00

:

Just open the .reg file into notepad and cut and paste the contents.


--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


Yes, I can create and edit GPOs from the PDC. I have mixed results
when
creating and editing from others. When I created an edited from an
upgraded
domain controller, at one point I received this error message when
opening
Group Policy Management: The Enterprise Domain Controllers group must
have
read access on all GPOs in the domain in order for Group Policy
Modeling
to
function properly. I can't even find that group to add it. However,
when
I
tried to create and edit a GPO on this same domain controller I
received
the
same error message as in my original post. On the PDC (which was
upgraded
to
W2K3) and a DC that was a fresh install I was able to create and edit
a
GPO
with no problem.

Initially I was trying to create and edit the policy from a Windows
2000
Workstation with Service Pack 4, and also from a W2K workstation with
SP3.

Below are the registry exports you requested. The first two are from
the
workstation and the second two from the PDC.

Well -- I did the export, but can't figure out how to paste them in
here
(sorry, I've not used this forum much).

:

You can continue to administer GPO from W2K after you upgrade some
or
all
DCs to W2K3.

There are many reasons for this error.

Can you create and edit GPOs from the PDC itself.
Can you create and edit GPOs from other W2K3 DCs?

Does it only fail from a W2K system?
Is the W2K system a DC or a member server/workstation?

I bet you are seeing a mismatch with SMB signing requirements.
export HKLM\system\CCS\services\lanmanserver\parameters &
lanmanworkstation\parameters from both the PDC and your W2K
management
station.
Paste into this thread identifying which is which.
We can see from this if there is a mismatch in the signing
requirements.

--
Glenn L
CCNA, MCSE 2000, MCSE 2003 + Security


Can you create and edit a new group policy using the Windows 2000
snap-in
after upgrading your PDC and other domain controllers to Windows
Server
2003,
Standard Edition? When I try this it lets me add a new one, but
when
I
click
Edit I get an error message: Failed to open the Group Policy
Object.
You
may not have appropriate rights. Details: The system cannot find
the
path
specified. It's looking for the file on the PDC, which is located
in
a
different site. Prior to upgrading to 2003 the PDC was in the
same
site I
am
in. I am a domain administrator. Things appear to be working
correctly
using the GPMC. Any help would be appreciated.