Failed to open the Group Policy object. You may not have appropriate

[ceil32]

When I try to open the Domain Controller Security Policy, I get the following error:

"Failed to open the Group Policy object. You may not have appropriate rights"

I've edited the registry under \HKLM\SYSTEM\CurrentControlSet\Services\LanManWorkstation\parameters as specified in the MS fix & restarted the Server - this made no difference.

I've ran GPOTool and all policies are ok.

Can anyone help?

 

[ceil32]

I've also installed and ran ADSIEdit.msc and have permissions on all policy objects.

I can also browse to all policy folders under the \SYSVOL share

 

[ceil32]

Here is the output from Netdiag:

.....................................

Computer Name: DC1
DNS Host Name: DC1.domainname.com
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes :
KB329115
KB822343
KB823182
KB823559
KB824105
KB825119
KB826232
KB828035
KB828749
KB832353
KB832359
KB841356
KB842773
KB842933
KB883935
KB885836
KB893756
KB893803v2
KB896423
KB899587
KB899591
KB901214
KB905414
KB905495-IE6SP1-20050805.184113
KB911280
KB911567-OE6SP1-20060316.165634
KB913580
KB914388
KB914389
KB917008
KB917422
KB917537
KB917736
KB917953
KB918118
KB920213
KB920670
KB920683
KB920685
KB920958
KB921398
KB921503
KB921883
KB922582
KB922616
KB922760-IE6SP1-20061018.120000
KB923191
KB923414
KB923561
KB923694-OE6SP1-20061106.120000
KB923810
KB923980
KB924191
KB924270
KB924667
KB925398_WMP64
KB925454-IE6SP1-20061116.120000
KB925486-IE6SP1-20060918.120000
KB925902
KB926122
KB926247
KB926436
KB927891
KB928090-IE6SP1-20070125.120000
KB928843
KB929969-IE6SP1-20061220.120000
KB930178
KB931768-IE6SP1-20070219.120000
KB931784
KB932168
KB933566-IE6SP1-20070417.120000
KB933729
KB935839
KB935840
KB935966
KB936021
KB937143-IE6SP1-20070717.120000
KB937894
KB938127-IE6SP1-20070626.120000
KB938464-IE6SP1-20080429.120000
KB938827
KB938829
KB941202-OE6SP1-20070820.120000
KB941568
KB941644
KB941672
KB941693
KB942615-IE6SP1-20071029.120000
KB942831
KB943055
KB943484
KB943485
KB944338
KB945553
KB947864-IE6SP1-20080215.120000
KB948590
KB948745
KB948881-IE6SP1-20080313.120000
KB949014
KB950749
KB950759-IE6SP1-20080418.120000
KB950760
KB950974
KB951066-OE6SP1-20080625.120000
KB951698
KB951746
KB951748
KB952004
KB952954
KB953155
KB954211
KB954600_WM41
KB955069
KB956391
KB956802
KB956844
KB957095
KB957097
KB957280
KB958215-IE6SP1-20081016.120000
KB958470
KB958644
KB958687
KB958690
KB958869-IE6SP1-20090818.120000
KB959426
KB960225
KB960714-IE6SP1-20081211.120000
KB960715
KB960803
KB960859
KB961063
KB961064
KB961371-V2
KB961501
KB963027-IE6SP1-20090303.120000
KB967715
KB968537
KB969059
KB969805
KB969883
KB970238
KB970483
KB971486
KB971557
KB971633
KB971961
KB972260-IE6SP1-20090722.120000
KB973346
KB973354-OE6SP1-20090710.120000
KB973507
KB973525
KB973869
KB974112_WM41
KB974455-IE6SP1-20090925.120000
KB974571
Q147222
Q828026
Update Rollup 1


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection 2

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : DC1
IP Address . . . . . . . . : 10.0.2.9
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 10.0.2.254
Dns Servers. . . . . . . . : 10.0.2.9


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
No remote names have been found.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{E1B1CC83-1E4F-4E49-9A95-9695FF580C8D}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed
[WARNING]: The DNS registration for 'DC1.domainname.com' is correct only on some DNS servers.
Please wait 15 min for replication and run the test again.
PASS - All the DNS entries for DC are registered on DNS server '10.0.2.9' and other DCs also have some of the names registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{E1B1CC83-1E4F-4E49-9A95-9695FF580C8D}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{E1B1CC83-1E4F-4E49-9A95-9695FF580C8D}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC 'DC2.domainname.com'.
[WARNING] Failed to query SPN registration on DC 'DC1.domainname.com'.


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.


The command completed successfully

----------------

DCDiag output as follows:

DC Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial non skippeable tests

Testing server: Domain\PDC
Starting test: Connectivity
......................... PDC passed test Connectivity

Doing primary tests

Testing server: MPI\PDC
Starting test: Replications
......................... PDC passed test Replications
Starting test: NCSecDesc
......................... PDC passed test NCSecDesc
Starting test: NetLogons
......................... PDC passed test NetLogons
Starting test: Advertising
......................... PDC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... PDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... PDC passed test RidManager
Starting test: MachineAccount
......................... PDC passed test MachineAccount
Starting test: Services
......................... PDC passed test Services
Starting test: ObjectsReplicated
......................... PDC passed test ObjectsReplicated
Starting test: frssysvol
Error: No record of File Replication System, SYSVOL started.
The Active Directory may be prevented from starting.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... PDC passed test frssysvol
Starting test: kccevent
......................... PDC passed test kccevent
Starting test: systemlog
......................... PDC passed test systemlog

Running enterprise tests on : domainname
Starting test: Intersite
......................... domainname passed test Intersite
Starting test: FsmoCheck
......................... domainname passed test FsmoCheck



-------------

Can anyone assist??

 

[ceil32]

Results of dcdiag /test:dns:

--------

DC Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial non skippeable tests

Testing server: domainname\DC1
Starting test: Connectivity
......................... DC1 passed test Connectivity

Doing primary tests

Testing server: domainname\DC1

Running enterprise tests on : FQDN.co

 

[ceil32]

Can anyone assist??

 

[itsp1965]

Did you check this MS KB entry

http://support.microsoft.com/kb/294257

 

[ceil32]

Thanks I tried that already - I can physically browse to all policies in Windows Explorer and no policies have a 'Notepad' icon when I open ADSIEdit.msc

Any other ideas??

 

[GrimR]

Very odd, I opened mine from the Admin tools in start menu and worked fine. I then ran dcpol.msc and got the same error you where getting.

Then I tried this %windir%\system32\dompol.msc /gpobject:"LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DomainName ,DC=co,DC=za" from this article

http://support.microsoft.com/kb/925639

and it worked.

I take it that my servers where upgraded from 2000 to 2003 that's why I have this issue.

Anyway hope it helps.

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP