Sign in with
Sign up | Sign in
Your question

Admin acct not able to access GP settings

Last response: in Windows 2000/NT
Share
Anonymous
March 10, 2005 3:35:04 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi guys here's the sitrep on what I did. If anyone has any ideas pls let me
know.

A few days ago I installed Terminal Services on my Windows Server 2000. I
then went into group policy permissions to restrict what people could see
and do. So I made a few changes and went to test them. They all worked great
except for a couple of things so I went to log back on as the admin and
found that the restrictions also affected the admin account. Not good at
all, I talked to a couple of support guys here in town and the only thing we
could come up with to fix it was to restore the system settings from the
pervious days backup. Now this appeared to work but I now get an error when
trying to access the Domain Controller Security Policy settings and the
Domain Security Policy settings, The following is the error I get; "Failed
to open the Group Policy Object. you may not have appropriate rights." and
just below that its says "The network path was not found." I also get this
error message when I try to open the Group Policy Object; "The domain
controller for Group Policy operations is not available. You may cancel this
operation for this session or retry using one of the following domain
controller choices: The one with the Operations Master token for the PDC
emulator - The one used by the Active Directory Snap-ins - Use any available
domain controller"

Here is a list of the things I've found so far to try and fix the issue,
http://support.microsoft.com/default.aspx?scid=kb;it;263166
http://support.microsoft.com/?kbid=257435#kb3
http://support.microsoft.com/?id=294257

For the last link, when I went in to look at the policies there were a lot
of them that had notebook icon next the them, but when I looked at the
properties of a dozen or so I couldn't see anywhere that the admin account
or any other account had been denied.

Also I was running MMC trying to get to the group policy and when I get to
where I can select the group policy snap-in and select it. It shows "Local
Computer" as the Group Policy Object. Is this normal? When I click browse I
get this error message; "The domain controller for Group Policy operations
is not available. You may cancel this operation for this session or retry
using one of the following domain controller choices." I then have 3
choices; "The one with the Operations Master token for the PDC emulator. -
The one used by the Active Directory Snap-ins.(this one is grayed out) - Use
any available domain controller." When I select either option I get this
error; "Failed to find a domain controller. There may be a policy that
prevents you from selecting another domain controller." and the details so
this, "The network path was not found." I can click close and I then come to
a window that says Browse for a Group Policy Object and the only choice I
have are "This computer" or "Another computer" If I select yes and browse I
can choice my 2000 server computer by name and it then shows that I've
connected to a remote server. Is that what it should do?

Thanks in advance
Mel
Anonymous
March 11, 2005 12:47:31 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have some ideas but ned a little more info first:
1. Do you have more than 1 DC, and if so did you do the authorative
restore procedure when you restored from backup so that the other DC
does not overwrite your changes?
2. What exactly were the settings that you implemented on your network
in the first place that started this?
Anonymous
March 11, 2005 2:15:15 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I only have one DC on this domain. There is a NT4.0 box on another domain on
the same network, but I was not having any problems before I made the
changes.

I pretty much took away all the right to do anything except start one progam
that the remote user's will be using. I took away access to the control
panel, system drives, network connections, shutdown, admin tools, run comman
line, search ablilities and anything else I found that would limit what they
could do.

Something else I found when looking in the SYSVOL folders was a bunch of
folders and files that were changed around the time I made the GP changes.
But only a couple for the time when I did the system state restore from the
backup. I was thinking of moving these files else where and trying the
system state restore again?

Mel

> I have some ideas but ned a little more info first:
> 1. Do you have more than 1 DC, and if so did you do the authorative
> restore procedure when you restored from backup so that the other DC
> does not overwrite your changes?
> 2. What exactly were the settings that you implemented on your network
> in the first place that started this?
>
Related resources
Anonymous
March 11, 2005 2:25:30 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Some more information that may help. I downloaded the GPOTOOL.exe file and
when I run it, I get a message that says
Validating DCs....
Error: DC list is empty

When I run with the verbose switch I get the following
Domain: admin.ak
Validating DCs...
DELL.admin.ak: down (sysvol only)
Error: DC list is empty

Mel
Anonymous
March 11, 2005 10:30:37 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

How did you restore system settings?? An authoritative restore of Active
Directory by booting into Directory Services Restore Mode would be the way
to do it, but keep in mind that will not change most settings in Local
Security Policy. I would run the support tools netdiag and dcdiag on the
domain controller to see what they report and look for pertinent errors in
Event Viewer. Verify that the domain controller is pointing to only itself
[or another AD domain controller] as it's preferred dns server and verify
that you can access the sysvol share but entering \\dcname\sysvol in the run
box and you should find at least two policies in the \domain\policies
folder. --- Steve


"KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
news:u46dnX3DZI64IK3fRVn-1w@scnresearch.com...
> Hi guys here's the sitrep on what I did. If anyone has any ideas pls let
> me
> know.
>
> A few days ago I installed Terminal Services on my Windows Server 2000. I
> then went into group policy permissions to restrict what people could see
> and do. So I made a few changes and went to test them. They all worked
> great
> except for a couple of things so I went to log back on as the admin and
> found that the restrictions also affected the admin account. Not good at
> all, I talked to a couple of support guys here in town and the only thing
> we
> could come up with to fix it was to restore the system settings from the
> pervious days backup. Now this appeared to work but I now get an error
> when
> trying to access the Domain Controller Security Policy settings and the
> Domain Security Policy settings, The following is the error I get; "Failed
> to open the Group Policy Object. you may not have appropriate rights." and
> just below that its says "The network path was not found." I also get this
> error message when I try to open the Group Policy Object; "The domain
> controller for Group Policy operations is not available. You may cancel
> this
> operation for this session or retry using one of the following domain
> controller choices: The one with the Operations Master token for the PDC
> emulator - The one used by the Active Directory Snap-ins - Use any
> available
> domain controller"
>
> Here is a list of the things I've found so far to try and fix the issue,
> http://support.microsoft.com/default.aspx?scid=kb;it;263166
> http://support.microsoft.com/?kbid=257435#kb3
> http://support.microsoft.com/?id=294257
>
> For the last link, when I went in to look at the policies there were a lot
> of them that had notebook icon next the them, but when I looked at the
> properties of a dozen or so I couldn't see anywhere that the admin account
> or any other account had been denied.
>
> Also I was running MMC trying to get to the group policy and when I get to
> where I can select the group policy snap-in and select it. It shows "Local
> Computer" as the Group Policy Object. Is this normal? When I click browse
> I
> get this error message; "The domain controller for Group Policy operations
> is not available. You may cancel this operation for this session or retry
> using one of the following domain controller choices." I then have 3
> choices; "The one with the Operations Master token for the PDC emulator. -
> The one used by the Active Directory Snap-ins.(this one is grayed out) -
> Use
> any available domain controller." When I select either option I get this
> error; "Failed to find a domain controller. There may be a policy that
> prevents you from selecting another domain controller." and the details so
> this, "The network path was not found." I can click close and I then come
> to
> a window that says Browse for a Group Policy Object and the only choice I
> have are "This computer" or "Another computer" If I select yes and browse
> I
> can choice my 2000 server computer by name and it then shows that I've
> connected to a remote server. Is that what it should do?
>
> Thanks in advance
> Mel
>
>
Anonymous
March 14, 2005 11:01:25 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Yes that is how I restored the system settings. I will run those tools and
let you know what happens. Thanks for your suggestions.

Mel


> How did you restore system settings?? An authoritative restore of Active
> Directory by booting into Directory Services Restore Mode would be the way
> to do it, but keep in mind that will not change most settings in Local
> Security Policy. I would run the support tools netdiag and dcdiag on the
> domain controller to see what they report and look for pertinent errors in
> Event Viewer. Verify that the domain controller is pointing to only itself
> [or another AD domain controller] as it's preferred dns server and verify
> that you can access the sysvol share but entering \\dcname\sysvol in the
run
> box and you should find at least two policies in the \domain\policies
> folder. --- Steve
>
>
> "KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
> news:u46dnX3DZI64IK3fRVn-1w@scnresearch.com...
> > Hi guys here's the sitrep on what I did. If anyone has any ideas pls let
> > me
> > know.
> >
> > A few days ago I installed Terminal Services on my Windows Server 2000.
I
> > then went into group policy permissions to restrict what people could
see
> > and do. So I made a few changes and went to test them. They all worked
> > great
> > except for a couple of things so I went to log back on as the admin and
> > found that the restrictions also affected the admin account. Not good at
> > all, I talked to a couple of support guys here in town and the only
thing
> > we
> > could come up with to fix it was to restore the system settings from the
> > pervious days backup. Now this appeared to work but I now get an error
> > when
> > trying to access the Domain Controller Security Policy settings and the
> > Domain Security Policy settings, The following is the error I get;
"Failed
> > to open the Group Policy Object. you may not have appropriate rights."
and
> > just below that its says "The network path was not found." I also get
this
> > error message when I try to open the Group Policy Object; "The domain
> > controller for Group Policy operations is not available. You may cancel
> > this
> > operation for this session or retry using one of the following domain
> > controller choices: The one with the Operations Master token for the PDC
> > emulator - The one used by the Active Directory Snap-ins - Use any
> > available
> > domain controller"
> >
> > Here is a list of the things I've found so far to try and fix the issue,
> > http://support.microsoft.com/default.aspx?scid=kb;it;263166
> > http://support.microsoft.com/?kbid=257435#kb3
> > http://support.microsoft.com/?id=294257
> >
> > For the last link, when I went in to look at the policies there were a
lot
> > of them that had notebook icon next the them, but when I looked at the
> > properties of a dozen or so I couldn't see anywhere that the admin
account
> > or any other account had been denied.
> >
> > Also I was running MMC trying to get to the group policy and when I get
to
> > where I can select the group policy snap-in and select it. It shows
"Local
> > Computer" as the Group Policy Object. Is this normal? When I click
browse
> > I
> > get this error message; "The domain controller for Group Policy
operations
> > is not available. You may cancel this operation for this session or
retry
> > using one of the following domain controller choices." I then have 3
> > choices; "The one with the Operations Master token for the PDC
emulator. -
> > The one used by the Active Directory Snap-ins.(this one is grayed out) -
> > Use
> > any available domain controller." When I select either option I get this
> > error; "Failed to find a domain controller. There may be a policy that
> > prevents you from selecting another domain controller." and the details
so
> > this, "The network path was not found." I can click close and I then
come
> > to
> > a window that says Browse for a Group Policy Object and the only choice
I
> > have are "This computer" or "Another computer" If I select yes and
browse
> > I
> > can choice my 2000 server computer by name and it then shows that I've
> > connected to a remote server. Is that what it should do?
> >
> > Thanks in advance
> > Mel
> >
> >
>
>
Anonymous
March 14, 2005 12:48:18 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Steve,

Here are the results of the diags:
dcdiag
C:\Program Files\Support Tools>dcdiag

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DELLSERVER
Starting test: Connectivity
c0b4daa2-6320-469a-aee5-cc4fb5a1f921._msdcs.admin.ak's server GUID
DNS
name could not be resolved to an
IP address. Check the DNS server, DHCP, server name, etc
Although the Guid DNS name
(c0b4daa2-6320-469a-aee5-cc4fb5a1f921._msdcs.admin.ktn) couldn't be
resolved, the server name (DELLSERVER.admin.ak) resolved to the IP
address (192.254.183.50) and was pingable. Check that the IP
address
is registered correctly with the DNS server.
......................... DELLSERVER failed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DELLSERVER
Skipping all tests, because server DELLSERVER is
not responding to directory service requests

Running enterprise tests on : admin.ak
Starting test: Intersite
......................... admin.ak passed test Intersite
Starting test: FsmoCheck
......................... admin.ak passed test FsmoCheck

C:\Program Files\Support Tools>

netdiag
C:\Program Files\Support Tools>netdiag

......................................

Computer Name: DELLSERVER
DNS Host Name: DELLSERVER.admin.ak
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes :
KB329115
KB820888
KB822831
KB823182
KB823559
KB824105
KB824146
KB825119
KB826232
KB828035
KB828741
KB828749
KB835732
KB837001
KB839643
KB839645
KB840315
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB867282-IE6SP1-20050127.163319
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB887797-OE6SP1-20041112.131144
KB888113
KB890047
KB890175
KB891711
KB891781
Q147222
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Admin

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : DELLSERVER
IP Address . . . . . . . . : 192.254.183.50
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.254.183.1
Dns Servers. . . . . . . . : 192.254.183.50


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r Service', <20> 'WINS' names is missing.
No remote names have been found.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Ipx configration
Network Number . . . . : 00000010
Node . . . . . . . . . : 00c09f2ce209
Frame type . . . . . . : 802.2



Adapter : IPX Internal Interface

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : f0e1e2fe
Node . . . . . . . . . : 000000000001
Frame type . . . . . . : Ethernet II



Adapter : IpxLoopbackAdapter

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : f0e1e2fe
Node . . . . . . . . . : 000000000002
Frame type . . . . . . : 802.2



Adapter : NDISWANIPX

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : 00000000
Node . . . . . . . . . : 089720524153
Frame type . . . . . . : Ethernet II




Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
[WARNING] The DNS entries for this DC are not registered correctly on
DNS se
rver '192.254.183.50'. Please wait for 30 minutes for DNS server
replication.
[FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed


Netware configuration
You are not logged in to your preferred server .
Netware User Name. . . . . . . :
Netware Server Name. . . . . . :
Netware Tree Name. . . . . . . :
Netware Workstation Context. . :

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.


The command completed successfully

C:\Program Files\Support Tools>

When I did the run \\dellserver.admin.ak\sysvol or as \\admin.ak\sysvol
(wasn't sure which was correct) I got the following error message
"The network name cannot be found"

Thanks again for your help
Mel



> How did you restore system settings?? An authoritative restore of Active
> Directory by booting into Directory Services Restore Mode would be the way
> to do it, but keep in mind that will not change most settings in Local
> Security Policy. I would run the support tools netdiag and dcdiag on the
> domain controller to see what they report and look for pertinent errors in
> Event Viewer. Verify that the domain controller is pointing to only itself
> [or another AD domain controller] as it's preferred dns server and verify
> that you can access the sysvol share but entering \\dcname\sysvol in the
run
> box and you should find at least two policies in the \domain\policies
> folder. --- Steve
>
>
> "KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
> news:u46dnX3DZI64IK3fRVn-1w@scnresearch.com...
> > Hi guys here's the sitrep on what I did. If anyone has any ideas pls let
> > me
> > know.
> >
> > A few days ago I installed Terminal Services on my Windows Server 2000.
I
> > then went into group policy permissions to restrict what people could
see
> > and do. So I made a few changes and went to test them. They all worked
> > great
> > except for a couple of things so I went to log back on as the admin and
> > found that the restrictions also affected the admin account. Not good at
> > all, I talked to a couple of support guys here in town and the only
thing
> > we
> > could come up with to fix it was to restore the system settings from the
> > pervious days backup. Now this appeared to work but I now get an error
> > when
> > trying to access the Domain Controller Security Policy settings and the
> > Domain Security Policy settings, The following is the error I get;
"Failed
> > to open the Group Policy Object. you may not have appropriate rights."
and
> > just below that its says "The network path was not found." I also get
this
> > error message when I try to open the Group Policy Object; "The domain
> > controller for Group Policy operations is not available. You may cancel
> > this
> > operation for this session or retry using one of the following domain
> > controller choices: The one with the Operations Master token for the PDC
> > emulator - The one used by the Active Directory Snap-ins - Use any
> > available
> > domain controller"
> >
> > Here is a list of the things I've found so far to try and fix the issue,
> > http://support.microsoft.com/default.aspx?scid=kb;it;263166
> > http://support.microsoft.com/?kbid=257435#kb3
> > http://support.microsoft.com/?id=294257
> >
> > For the last link, when I went in to look at the policies there were a
lot
> > of them that had notebook icon next the them, but when I looked at the
> > properties of a dozen or so I couldn't see anywhere that the admin
account
> > or any other account had been denied.
> >
> > Also I was running MMC trying to get to the group policy and when I get
to
> > where I can select the group policy snap-in and select it. It shows
"Local
> > Computer" as the Group Policy Object. Is this normal? When I click
browse
> > I
> > get this error message; "The domain controller for Group Policy
operations
> > is not available. You may cancel this operation for this session or
retry
> > using one of the following domain controller choices." I then have 3
> > choices; "The one with the Operations Master token for the PDC
emulator. -
> > The one used by the Active Directory Snap-ins.(this one is grayed out) -
> > Use
> > any available domain controller." When I select either option I get this
> > error; "Failed to find a domain controller. There may be a policy that
> > prevents you from selecting another domain controller." and the details
so
> > this, "The network path was not found." I can click close and I then
come
> > to
> > a window that says Browse for a Group Policy Object and the only choice
I
> > have are "This computer" or "Another computer" If I select yes and
browse
> > I
> > can choice my 2000 server computer by name and it then shows that I've
> > connected to a remote server. Is that what it should do?
> >
> > Thanks in advance
> > Mel
> >
> >
>
>
Anonymous
March 16, 2005 12:58:16 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Notice that netdiag reported a problem with dns though netdiag shows you
have the domain controller pointing to itself as it's preferred dns server.
Try using the command " netdiag /fix" and then restarting the netlogon
service to see if it makes that error go away. Open the dns Management
Console and verify that your dns domain exists, that the _srv records are
present, and that the domain controllers IP address is shown in A and other
records for the zone. As far as sysvol, try to access it again after the dns
problems are resolved and/or use the IP address of the server instead of the
name to see if you can access it. The command "net share" should also show
that the sysvol share exists. --- Steve


"KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
news:gZ-dnRPH4NSQQajfRVn-gw@scnresearch.com...
> Steve,
>
> Here are the results of the diags:
> dcdiag
> C:\Program Files\Support Tools>dcdiag
>
> Domain Controller Diagnosis
>
> Performing initial setup:
> Done gathering initial info.
>
> Doing initial required tests
>
> Testing server: Default-First-Site-Name\DELLSERVER
> Starting test: Connectivity
> c0b4daa2-6320-469a-aee5-cc4fb5a1f921._msdcs.admin.ak's server GUID
> DNS
> name could not be resolved to an
> IP address. Check the DNS server, DHCP, server name, etc
> Although the Guid DNS name
> (c0b4daa2-6320-469a-aee5-cc4fb5a1f921._msdcs.admin.ktn) couldn't
> be
> resolved, the server name (DELLSERVER.admin.ak) resolved to the IP
> address (192.254.183.50) and was pingable. Check that the IP
> address
> is registered correctly with the DNS server.
> ......................... DELLSERVER failed test Connectivity
>
> Doing primary tests
>
> Testing server: Default-First-Site-Name\DELLSERVER
> Skipping all tests, because server DELLSERVER is
> not responding to directory service requests
>
> Running enterprise tests on : admin.ak
> Starting test: Intersite
> ......................... admin.ak passed test Intersite
> Starting test: FsmoCheck
> ......................... admin.ak passed test FsmoCheck
>
> C:\Program Files\Support Tools>
>
> netdiag
> C:\Program Files\Support Tools>netdiag
>
> .....................................
>
> Computer Name: DELLSERVER
> DNS Host Name: DELLSERVER.admin.ak
> System info : Windows 2000 Server (Build 2195)
> Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
> List of installed hotfixes :
> KB329115
> KB820888
> KB822831
> KB823182
> KB823559
> KB824105
> KB824146
> KB825119
> KB826232
> KB828035
> KB828741
> KB828749
> KB835732
> KB837001
> KB839643
> KB839645
> KB840315
> KB840987
> KB841356
> KB841533
> KB841872
> KB841873
> KB842526
> KB867282-IE6SP1-20050127.163319
> KB871250
> KB873333
> KB873339
> KB885250
> KB885834
> KB885835
> KB885836
> KB887797-OE6SP1-20041112.131144
> KB888113
> KB890047
> KB890175
> KB891711
> KB891781
> Q147222
> Q828026
>
>
> Netcard queries test . . . . . . . : Passed
>
>
>
> Per interface results:
>
> Adapter : Admin
>
> Netcard queries test . . . : Passed
>
> Host Name. . . . . . . . . : DELLSERVER
> IP Address . . . . . . . . : 192.254.183.50
> Subnet Mask. . . . . . . . : 255.255.255.0
> Default Gateway. . . . . . : 192.254.183.1
> Dns Servers. . . . . . . . : 192.254.183.50
>
>
> AutoConfiguration results. . . . . . : Passed
>
> Default gateway test . . . : Passed
>
> NetBT name test. . . . . . : Passed
> [WARNING] At least one of the <00> 'WorkStation Service', <03>
> 'Messenge
> r Service', <20> 'WINS' names is missing.
> No remote names have been found.
>
> WINS service test. . . . . : Skipped
> There are no WINS servers configured for this interface.
>
> Ipx configration
> Network Number . . . . : 00000010
> Node . . . . . . . . . : 00c09f2ce209
> Frame type . . . . . . : 802.2
>
>
>
> Adapter : IPX Internal Interface
>
> Netcard queries test . . . : Passed
>
> Ipx configration
> Network Number . . . . : f0e1e2fe
> Node . . . . . . . . . : 000000000001
> Frame type . . . . . . : Ethernet II
>
>
>
> Adapter : IpxLoopbackAdapter
>
> Netcard queries test . . . : Passed
>
> Ipx configration
> Network Number . . . . : f0e1e2fe
> Node . . . . . . . . . : 000000000002
> Frame type . . . . . . : 802.2
>
>
>
> Adapter : NDISWANIPX
>
> Netcard queries test . . . : Passed
>
> Ipx configration
> Network Number . . . . : 00000000
> Node . . . . . . . . . : 089720524153
> Frame type . . . . . . : Ethernet II
>
>
>
>
> Global results:
>
>
> Domain membership test . . . . . . : Passed
>
>
> NetBT transports test. . . . . . . : Passed
> List of NetBt transports currently configured:
> NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
> 1 NetBt transport currently configured.
>
>
> Autonet address test . . . . . . . : Passed
>
>
> IP loopback ping test. . . . . . . : Passed
>
>
> Default gateway test . . . . . . . : Passed
>
>
> NetBT name test. . . . . . . . . . : Passed
> [WARNING] You don't have a single interface with the <00> 'WorkStation
> Servi
> ce', <03> 'Messenger Service', <20> 'WINS' names defined.
>
>
> Winsock test . . . . . . . . . . . : Passed
>
>
> DNS test . . . . . . . . . . . . . : Failed
> [WARNING] The DNS entries for this DC are not registered correctly on
> DNS se
> rver '192.254.183.50'. Please wait for 30 minutes for DNS server
> replication.
> [FATAL] No DNS servers have the DNS records for this DC registered.
>
>
> Redir and Browser test . . . . . . : Passed
> List of NetBt transports currently bound to the Redir
> NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
> The redir is bound to 1 NetBt transport.
>
> List of NetBt transports currently bound to the browser
> NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
> The browser is bound to 1 NetBt transport.
>
>
> DC discovery test. . . . . . . . . : Passed
>
>
> DC list test . . . . . . . . . . . : Passed
>
>
> Trust relationship test. . . . . . : Skipped
>
>
> Kerberos test. . . . . . . . . . . : Passed
>
>
> LDAP test. . . . . . . . . . . . . : Passed
>
>
> Bindings test. . . . . . . . . . . : Passed
>
>
> WAN configuration test . . . . . . : Skipped
> No active remote access connections.
>
>
> Modem diagnostics test . . . . . . : Passed
>
>
> Netware configuration
> You are not logged in to your preferred server .
> Netware User Name. . . . . . . :
> Netware Server Name. . . . . . :
> Netware Tree Name. . . . . . . :
> Netware Workstation Context. . :
>
> IP Security test . . . . . . . . . : Passed
> IPSec policy service is active, but no policy is assigned.
>
>
> The command completed successfully
>
> C:\Program Files\Support Tools>
>
> When I did the run \\dellserver.admin.ak\sysvol or as \\admin.ak\sysvol
> (wasn't sure which was correct) I got the following error message
> "The network name cannot be found"
>
> Thanks again for your help
> Mel
>
>
>
>> How did you restore system settings?? An authoritative restore of Active
>> Directory by booting into Directory Services Restore Mode would be the
>> way
>> to do it, but keep in mind that will not change most settings in Local
>> Security Policy. I would run the support tools netdiag and dcdiag on the
>> domain controller to see what they report and look for pertinent errors
>> in
>> Event Viewer. Verify that the domain controller is pointing to only
>> itself
>> [or another AD domain controller] as it's preferred dns server and verify
>> that you can access the sysvol share but entering \\dcname\sysvol in the
> run
>> box and you should find at least two policies in the \domain\policies
>> folder. --- Steve
>>
>>
>> "KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
>> news:u46dnX3DZI64IK3fRVn-1w@scnresearch.com...
>> > Hi guys here's the sitrep on what I did. If anyone has any ideas pls
>> > let
>> > me
>> > know.
>> >
>> > A few days ago I installed Terminal Services on my Windows Server 2000.
> I
>> > then went into group policy permissions to restrict what people could
> see
>> > and do. So I made a few changes and went to test them. They all worked
>> > great
>> > except for a couple of things so I went to log back on as the admin and
>> > found that the restrictions also affected the admin account. Not good
>> > at
>> > all, I talked to a couple of support guys here in town and the only
> thing
>> > we
>> > could come up with to fix it was to restore the system settings from
>> > the
>> > pervious days backup. Now this appeared to work but I now get an error
>> > when
>> > trying to access the Domain Controller Security Policy settings and the
>> > Domain Security Policy settings, The following is the error I get;
> "Failed
>> > to open the Group Policy Object. you may not have appropriate rights."
> and
>> > just below that its says "The network path was not found." I also get
> this
>> > error message when I try to open the Group Policy Object; "The domain
>> > controller for Group Policy operations is not available. You may cancel
>> > this
>> > operation for this session or retry using one of the following domain
>> > controller choices: The one with the Operations Master token for the
>> > PDC
>> > emulator - The one used by the Active Directory Snap-ins - Use any
>> > available
>> > domain controller"
>> >
>> > Here is a list of the things I've found so far to try and fix the
>> > issue,
>> > http://support.microsoft.com/default.aspx?scid=kb;it;263166
>> > http://support.microsoft.com/?kbid=257435#kb3
>> > http://support.microsoft.com/?id=294257
>> >
>> > For the last link, when I went in to look at the policies there were a
> lot
>> > of them that had notebook icon next the them, but when I looked at the
>> > properties of a dozen or so I couldn't see anywhere that the admin
> account
>> > or any other account had been denied.
>> >
>> > Also I was running MMC trying to get to the group policy and when I get
> to
>> > where I can select the group policy snap-in and select it. It shows
> "Local
>> > Computer" as the Group Policy Object. Is this normal? When I click
> browse
>> > I
>> > get this error message; "The domain controller for Group Policy
> operations
>> > is not available. You may cancel this operation for this session or
> retry
>> > using one of the following domain controller choices." I then have 3
>> > choices; "The one with the Operations Master token for the PDC
> emulator. -
>> > The one used by the Active Directory Snap-ins.(this one is grayed
>> > out) -
>> > Use
>> > any available domain controller." When I select either option I get
>> > this
>> > error; "Failed to find a domain controller. There may be a policy that
>> > prevents you from selecting another domain controller." and the details
> so
>> > this, "The network path was not found." I can click close and I then
> come
>> > to
>> > a window that says Browse for a Group Policy Object and the only choice
> I
>> > have are "This computer" or "Another computer" If I select yes and
> browse
>> > I
>> > can choice my 2000 server computer by name and it then shows that I've
>> > connected to a remote server. Is that what it should do?
>> >
>> > Thanks in advance
>> > Mel
>> >
>> >
>>
>>
>
>
Anonymous
March 16, 2005 7:42:52 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Well I tried the netdiag /fix with no luck the results posted below. I've
also posted results from nslookup and ipconfig /all and the net share list.
The sysvol does not show in the list. When I tried to access the sysvol with
IP I got the same network path not found error. Also as far as I can
determine the DNS info show the correct info. But I also wouldn't know if it
wasn't. Under DNS tree it shows DELLSERVER under that it has a forward zone
and a reverse zone. Under forward it show admin.ak and under that I see 3
entries.
Name - (same as parent folder); Type - Name Server; Data -
dellserver.admin.ak
Name - (same as parent folder); Type - Start of Authorirty; Data - [4],
dellseerver.admin.ak., admin.admin.ak.
Name - dellserver; Type - Host; Data - 192.254.183.50

The reverse zone has under it 192.254.183.x Subnet. In that folder are 2
entries the same as the first 2 from the forward folder.

When I check properties on these items under the NAme Servers tab it shows
dellserver.admin.ak [192.254.183.50]

Thanks once again for your help. Below are the results of the diags

Mel

nslookup
C:\Program Files\Support Tools>nslookup
*** Can't find server name for address 192.254.183.50: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.254.183.50

>

ipconfig /all
C:\Program Files\Support Tools>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : DELLSERVER
Primary DNS Suffix . . . . . . . : admin.ak
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : admin.ak

Ethernet adapter Admin:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connect
ion
Physical Address. . . . . . . . . : 00-C0-9F-2C-E2-09
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.254.183.50
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.254.183.1
DNS Servers . . . . . . . . . . . : 192.254.183.50

C:\Program Files\Support Tools>

net share
C:\Program Files\Support Tools>net share

Share name Resource Remark

----------------------------------------------------------------------------
---
G$ G:\ Default share
C$ C:\ Default share
IPC$ Remote IPC
D$ D:\ Default share
I$ I:\ Default share
ADMIN$ C:\WINNT Remote Admin
E$ E:\ Default share
H$ H:\ Default share
Accounting E:\
DataFolders H:\
Lotus123 I:\
Payroll G:\
VPHOME C:\Program Files\Symantec AntiVirus
Symantec AntiVirus
VPLOGON C:\Program Files\Symantec AntiVirus\logon
Symantec AntiVirus
The command completed successfully.


C:\Program Files\Support Tools>

netdiag /fix
C:\Program Files\Support Tools>netdiag /fix

......................................

Computer Name: DELLSERVER
DNS Host Name: DELLSERVER.admin.ak
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes :
KB329115
KB820888
KB822831
KB823182
KB823559
KB824105
KB824146
KB825119
KB826232
KB828035
KB828741
KB828749
KB835732
KB837001
KB839643
KB839645
KB840315
KB840987
KB841356
KB841533
KB841872
KB841873
KB842526
KB867282-IE6SP1-20050127.163319
KB871250
KB873333
KB873339
KB885250
KB885834
KB885835
KB885836
KB887797-OE6SP1-20041112.131144
KB888113
KB890047
KB890175
KB891711
KB891781
Q147222
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Admin

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : DELLSERVER
IP Address . . . . . . . . : 192.254.183.50
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.254.183.1
Dns Servers. . . . . . . . : 192.254.183.50


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r Service', <20> 'WINS' names is missing.
No remote names have been found.

WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.

Ipx configration
Network Number . . . . : 00000010
Node . . . . . . . . . : 00c09f2ce209
Frame type . . . . . . : 802.2



Adapter : IPX Internal Interface

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : f0e1e2fe
Node . . . . . . . . . : 000000000001
Frame type . . . . . . : Ethernet II



Adapter : IpxLoopbackAdapter

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : f0e1e2fe
Node . . . . . . . . . : 000000000002
Frame type . . . . . . : 802.2



Adapter : NDISWANIPX

Netcard queries test . . . : Passed

Ipx configration
Network Number . . . . : 00000000
Node . . . . . . . . . : 089720524153
Frame type . . . . . . : Ethernet II




Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00> 'WorkStation
Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Failed
[WARNING] Cannot find a primary authoritative DNS server for the
name
'DELLSERVER.admin.ak.'. [RCODE_SERVER_FAILURE]
The name 'DELLSERVER.admin.ak.' may not be registered in DNS.
[FATAL] Failed to fix: DC DNS entry admin.ak. re-registeration on DNS
serve
r '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.admin.ak.
re-registeration o
n DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._site
s.admin.ak. re-registeration on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.admin.ak.
re-regi
steration on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.admin.ak.
re-regis
teration on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._site
s.gc._msdcs.admin.ak. re-registeration on DNS server '192.254.183.50'
failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.cc9cf395-5261-4837-81af-b3f4d
a938d0f.domains._msdcs.admin.ak. re-registeration on DNS server
'192.254.183.50
' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry gc._msdcs.admin.ak. re-registeration
on
DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
c0b4daa2-6320-469a-aee5-cc4fb5a1f921._ms
dcs.admin.ak. re-registeration on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.admin.ak.
re-r
egisteration on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._
sites.dc._msdcs.admin.ak. re-registeration on DNS server '192.254.183.50'
faile
d.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.admin.ak.
re-regis
teration on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_ldap._tcp.Default-First-Site-Name._site
s.dc._msdcs.admin.ak. re-registeration on DNS server '192.254.183.50'
failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._tcp.admin.ak.
re-registerati
on on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_kerberos._tcp.Default-First-Site-Name._
sites.admin.ak. re-registeration on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _gc._tcp.admin.ak. re-registeration
on
DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry
_gc._tcp.Default-First-Site-Name._sites.
admin.ak. re-registeration on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kerberos._udp.admin.ak.
re-registerati
on on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.admin.ak.
re-registeratio
n on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Failed to fix: DC DNS entry _kpasswd._udp.admin.ak.
re-registeratio
n on DNS server '192.254.183.50' failed.
DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
[FATAL] Fix Failed: netdiag failed to re-register missing DNS entries
for th
is DC on DNS server '192.254.183.50'.
[FATAL] No DNS servers have the DNS records for this DC registered.


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Skipped


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed


Netware configuration
You are not logged in to your preferred server .
Netware User Name. . . . . . . :
Netware Server Name. . . . . . :
Netware Tree Name. . . . . . . :
Netware Workstation Context. . :

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.


The command completed successfully

C:\Program Files\Support Tools>

> Notice that netdiag reported a problem with dns though netdiag shows you
> have the domain controller pointing to itself as it's preferred dns
server.
> Try using the command " netdiag /fix" and then restarting the netlogon
> service to see if it makes that error go away. Open the dns Management
> Console and verify that your dns domain exists, that the _srv records are
> present, and that the domain controllers IP address is shown in A and
other
> records for the zone. As far as sysvol, try to access it again after the
dns
> problems are resolved and/or use the IP address of the server instead of
the
> name to see if you can access it. The command "net share" should also show
> that the sysvol share exists. --- Steve
!