Admin acct not able to access GP settings

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi guys here's the sitrep on what I did. If anyone has any ideas pls let me
know.

A few days ago I installed Terminal Services on my Windows Server 2000. I
then went into group policy permissions to restrict what people could see
and do. So I made a few changes and went to test them. They all worked great
except for a couple of things so I went to log back on as the admin and
found that the restrictions also affected the admin account. Not good at
all, I talked to a couple of support guys here in town and the only thing we
could come up with to fix it was to restore the system settings from the
pervious days backup. Now this appeared to work but I now get an error when
trying to access the Domain Controller Security Policy settings and the
Domain Security Policy settings, The following is the error I get; "Failed
to open the Group Policy Object. you may not have appropriate rights." and
just below that its says "The network path was not found." I also get this
error message when I try to open the Group Policy Object; "The domain
controller for Group Policy operations is not available. You may cancel this
operation for this session or retry using one of the following domain
controller choices: The one with the Operations Master token for the PDC
emulator - The one used by the Active Directory Snap-ins - Use any available
domain controller"

Here is a list of the things I've found so far to try and fix the issue,
http://support.microsoft.com/default.aspx?scid=kb;it;263166
http://support.microsoft.com/?kbid=257435#kb3
http://support.microsoft.com/?id=294257

For the last link, when I went in to look at the policies there were a lot
of them that had notebook icon next the them, but when I looked at the
properties of a dozen or so I couldn't see anywhere that the admin account
or any other account had been denied.

Also I was running MMC trying to get to the group policy and when I get to
where I can select the group policy snap-in and select it. It shows "Local
Computer" as the Group Policy Object. Is this normal? When I click browse I
get this error message; "The domain controller for Group Policy operations
is not available. You may cancel this operation for this session or retry
using one of the following domain controller choices." I then have 3
choices; "The one with the Operations Master token for the PDC emulator. -
The one used by the Active Directory Snap-ins.(this one is grayed out) - Use
any available domain controller." When I select either option I get this
error; "Failed to find a domain controller. There may be a policy that
prevents you from selecting another domain controller." and the details so
this, "The network path was not found." I can click close and I then come to
a window that says Browse for a Group Policy Object and the only choice I
have are "This computer" or "Another computer" If I select yes and browse I
can choice my 2000 server computer by name and it then shows that I've
connected to a remote server. Is that what it should do?

Thanks in advance
Mel
8 answers Last reply
More about admin acct access settings
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I have some ideas but ned a little more info first:
    1. Do you have more than 1 DC, and if so did you do the authorative
    restore procedure when you restored from backup so that the other DC
    does not overwrite your changes?
    2. What exactly were the settings that you implemented on your network
    in the first place that started this?
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I only have one DC on this domain. There is a NT4.0 box on another domain on
    the same network, but I was not having any problems before I made the
    changes.

    I pretty much took away all the right to do anything except start one progam
    that the remote user's will be using. I took away access to the control
    panel, system drives, network connections, shutdown, admin tools, run comman
    line, search ablilities and anything else I found that would limit what they
    could do.

    Something else I found when looking in the SYSVOL folders was a bunch of
    folders and files that were changed around the time I made the GP changes.
    But only a couple for the time when I did the system state restore from the
    backup. I was thinking of moving these files else where and trying the
    system state restore again?

    Mel

    > I have some ideas but ned a little more info first:
    > 1. Do you have more than 1 DC, and if so did you do the authorative
    > restore procedure when you restored from backup so that the other DC
    > does not overwrite your changes?
    > 2. What exactly were the settings that you implemented on your network
    > in the first place that started this?
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Some more information that may help. I downloaded the GPOTOOL.exe file and
    when I run it, I get a message that says
    Validating DCs....
    Error: DC list is empty

    When I run with the verbose switch I get the following
    Domain: admin.ak
    Validating DCs...
    DELL.admin.ak: down (sysvol only)
    Error: DC list is empty

    Mel
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    How did you restore system settings?? An authoritative restore of Active
    Directory by booting into Directory Services Restore Mode would be the way
    to do it, but keep in mind that will not change most settings in Local
    Security Policy. I would run the support tools netdiag and dcdiag on the
    domain controller to see what they report and look for pertinent errors in
    Event Viewer. Verify that the domain controller is pointing to only itself
    [or another AD domain controller] as it's preferred dns server and verify
    that you can access the sysvol share but entering \\dcname\sysvol in the run
    box and you should find at least two policies in the \domain\policies
    folder. --- Steve


    "KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
    news:u46dnX3DZI64IK3fRVn-1w@scnresearch.com...
    > Hi guys here's the sitrep on what I did. If anyone has any ideas pls let
    > me
    > know.
    >
    > A few days ago I installed Terminal Services on my Windows Server 2000. I
    > then went into group policy permissions to restrict what people could see
    > and do. So I made a few changes and went to test them. They all worked
    > great
    > except for a couple of things so I went to log back on as the admin and
    > found that the restrictions also affected the admin account. Not good at
    > all, I talked to a couple of support guys here in town and the only thing
    > we
    > could come up with to fix it was to restore the system settings from the
    > pervious days backup. Now this appeared to work but I now get an error
    > when
    > trying to access the Domain Controller Security Policy settings and the
    > Domain Security Policy settings, The following is the error I get; "Failed
    > to open the Group Policy Object. you may not have appropriate rights." and
    > just below that its says "The network path was not found." I also get this
    > error message when I try to open the Group Policy Object; "The domain
    > controller for Group Policy operations is not available. You may cancel
    > this
    > operation for this session or retry using one of the following domain
    > controller choices: The one with the Operations Master token for the PDC
    > emulator - The one used by the Active Directory Snap-ins - Use any
    > available
    > domain controller"
    >
    > Here is a list of the things I've found so far to try and fix the issue,
    > http://support.microsoft.com/default.aspx?scid=kb;it;263166
    > http://support.microsoft.com/?kbid=257435#kb3
    > http://support.microsoft.com/?id=294257
    >
    > For the last link, when I went in to look at the policies there were a lot
    > of them that had notebook icon next the them, but when I looked at the
    > properties of a dozen or so I couldn't see anywhere that the admin account
    > or any other account had been denied.
    >
    > Also I was running MMC trying to get to the group policy and when I get to
    > where I can select the group policy snap-in and select it. It shows "Local
    > Computer" as the Group Policy Object. Is this normal? When I click browse
    > I
    > get this error message; "The domain controller for Group Policy operations
    > is not available. You may cancel this operation for this session or retry
    > using one of the following domain controller choices." I then have 3
    > choices; "The one with the Operations Master token for the PDC emulator. -
    > The one used by the Active Directory Snap-ins.(this one is grayed out) -
    > Use
    > any available domain controller." When I select either option I get this
    > error; "Failed to find a domain controller. There may be a policy that
    > prevents you from selecting another domain controller." and the details so
    > this, "The network path was not found." I can click close and I then come
    > to
    > a window that says Browse for a Group Policy Object and the only choice I
    > have are "This computer" or "Another computer" If I select yes and browse
    > I
    > can choice my 2000 server computer by name and it then shows that I've
    > connected to a remote server. Is that what it should do?
    >
    > Thanks in advance
    > Mel
    >
    >
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Yes that is how I restored the system settings. I will run those tools and
    let you know what happens. Thanks for your suggestions.

    Mel


    > How did you restore system settings?? An authoritative restore of Active
    > Directory by booting into Directory Services Restore Mode would be the way
    > to do it, but keep in mind that will not change most settings in Local
    > Security Policy. I would run the support tools netdiag and dcdiag on the
    > domain controller to see what they report and look for pertinent errors in
    > Event Viewer. Verify that the domain controller is pointing to only itself
    > [or another AD domain controller] as it's preferred dns server and verify
    > that you can access the sysvol share but entering \\dcname\sysvol in the
    run
    > box and you should find at least two policies in the \domain\policies
    > folder. --- Steve
    >
    >
    > "KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
    > news:u46dnX3DZI64IK3fRVn-1w@scnresearch.com...
    > > Hi guys here's the sitrep on what I did. If anyone has any ideas pls let
    > > me
    > > know.
    > >
    > > A few days ago I installed Terminal Services on my Windows Server 2000.
    I
    > > then went into group policy permissions to restrict what people could
    see
    > > and do. So I made a few changes and went to test them. They all worked
    > > great
    > > except for a couple of things so I went to log back on as the admin and
    > > found that the restrictions also affected the admin account. Not good at
    > > all, I talked to a couple of support guys here in town and the only
    thing
    > > we
    > > could come up with to fix it was to restore the system settings from the
    > > pervious days backup. Now this appeared to work but I now get an error
    > > when
    > > trying to access the Domain Controller Security Policy settings and the
    > > Domain Security Policy settings, The following is the error I get;
    "Failed
    > > to open the Group Policy Object. you may not have appropriate rights."
    and
    > > just below that its says "The network path was not found." I also get
    this
    > > error message when I try to open the Group Policy Object; "The domain
    > > controller for Group Policy operations is not available. You may cancel
    > > this
    > > operation for this session or retry using one of the following domain
    > > controller choices: The one with the Operations Master token for the PDC
    > > emulator - The one used by the Active Directory Snap-ins - Use any
    > > available
    > > domain controller"
    > >
    > > Here is a list of the things I've found so far to try and fix the issue,
    > > http://support.microsoft.com/default.aspx?scid=kb;it;263166
    > > http://support.microsoft.com/?kbid=257435#kb3
    > > http://support.microsoft.com/?id=294257
    > >
    > > For the last link, when I went in to look at the policies there were a
    lot
    > > of them that had notebook icon next the them, but when I looked at the
    > > properties of a dozen or so I couldn't see anywhere that the admin
    account
    > > or any other account had been denied.
    > >
    > > Also I was running MMC trying to get to the group policy and when I get
    to
    > > where I can select the group policy snap-in and select it. It shows
    "Local
    > > Computer" as the Group Policy Object. Is this normal? When I click
    browse
    > > I
    > > get this error message; "The domain controller for Group Policy
    operations
    > > is not available. You may cancel this operation for this session or
    retry
    > > using one of the following domain controller choices." I then have 3
    > > choices; "The one with the Operations Master token for the PDC
    emulator. -
    > > The one used by the Active Directory Snap-ins.(this one is grayed out) -
    > > Use
    > > any available domain controller." When I select either option I get this
    > > error; "Failed to find a domain controller. There may be a policy that
    > > prevents you from selecting another domain controller." and the details
    so
    > > this, "The network path was not found." I can click close and I then
    come
    > > to
    > > a window that says Browse for a Group Policy Object and the only choice
    I
    > > have are "This computer" or "Another computer" If I select yes and
    browse
    > > I
    > > can choice my 2000 server computer by name and it then shows that I've
    > > connected to a remote server. Is that what it should do?
    > >
    > > Thanks in advance
    > > Mel
    > >
    > >
    >
    >
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Steve,

    Here are the results of the diags:
    dcdiag
    C:\Program Files\Support Tools>dcdiag

    Domain Controller Diagnosis

    Performing initial setup:
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site-Name\DELLSERVER
    Starting test: Connectivity
    c0b4daa2-6320-469a-aee5-cc4fb5a1f921._msdcs.admin.ak's server GUID
    DNS
    name could not be resolved to an
    IP address. Check the DNS server, DHCP, server name, etc
    Although the Guid DNS name
    (c0b4daa2-6320-469a-aee5-cc4fb5a1f921._msdcs.admin.ktn) couldn't be
    resolved, the server name (DELLSERVER.admin.ak) resolved to the IP
    address (192.254.183.50) and was pingable. Check that the IP
    address
    is registered correctly with the DNS server.
    ......................... DELLSERVER failed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site-Name\DELLSERVER
    Skipping all tests, because server DELLSERVER is
    not responding to directory service requests

    Running enterprise tests on : admin.ak
    Starting test: Intersite
    ......................... admin.ak passed test Intersite
    Starting test: FsmoCheck
    ......................... admin.ak passed test FsmoCheck

    C:\Program Files\Support Tools>

    netdiag
    C:\Program Files\Support Tools>netdiag

    ......................................

    Computer Name: DELLSERVER
    DNS Host Name: DELLSERVER.admin.ak
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
    List of installed hotfixes :
    KB329115
    KB820888
    KB822831
    KB823182
    KB823559
    KB824105
    KB824146
    KB825119
    KB826232
    KB828035
    KB828741
    KB828749
    KB835732
    KB837001
    KB839643
    KB839645
    KB840315
    KB840987
    KB841356
    KB841533
    KB841872
    KB841873
    KB842526
    KB867282-IE6SP1-20050127.163319
    KB871250
    KB873333
    KB873339
    KB885250
    KB885834
    KB885835
    KB885836
    KB887797-OE6SP1-20041112.131144
    KB888113
    KB890047
    KB890175
    KB891711
    KB891781
    Q147222
    Q828026


    Netcard queries test . . . . . . . : Passed


    Per interface results:

    Adapter : Admin

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : DELLSERVER
    IP Address . . . . . . . . : 192.254.183.50
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 192.254.183.1
    Dns Servers. . . . . . . . : 192.254.183.50


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenge
    r Service', <20> 'WINS' names is missing.
    No remote names have been found.

    WINS service test. . . . . : Skipped
    There are no WINS servers configured for this interface.

    Ipx configration
    Network Number . . . . : 00000010
    Node . . . . . . . . . : 00c09f2ce209
    Frame type . . . . . . : 802.2


    Adapter : IPX Internal Interface

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : f0e1e2fe
    Node . . . . . . . . . : 000000000001
    Frame type . . . . . . : Ethernet II


    Adapter : IpxLoopbackAdapter

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : f0e1e2fe
    Node . . . . . . . . . : 000000000002
    Frame type . . . . . . : 802.2


    Adapter : NDISWANIPX

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : 00000000
    Node . . . . . . . . . : 089720524153
    Frame type . . . . . . : Ethernet II


    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    1 NetBt transport currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Servi
    ce', <03> 'Messenger Service', <20> 'WINS' names defined.


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Failed
    [WARNING] The DNS entries for this DC are not registered correctly on
    DNS se
    rver '192.254.183.50'. Please wait for 30 minutes for DNS server
    replication.
    [FATAL] No DNS servers have the DNS records for this DC registered.


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    The browser is bound to 1 NetBt transport.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed


    Netware configuration
    You are not logged in to your preferred server .
    Netware User Name. . . . . . . :
    Netware Server Name. . . . . . :
    Netware Tree Name. . . . . . . :
    Netware Workstation Context. . :

    IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


    The command completed successfully

    C:\Program Files\Support Tools>

    When I did the run \\dellserver.admin.ak\sysvol or as \\admin.ak\sysvol
    (wasn't sure which was correct) I got the following error message
    "The network name cannot be found"

    Thanks again for your help
    Mel


    > How did you restore system settings?? An authoritative restore of Active
    > Directory by booting into Directory Services Restore Mode would be the way
    > to do it, but keep in mind that will not change most settings in Local
    > Security Policy. I would run the support tools netdiag and dcdiag on the
    > domain controller to see what they report and look for pertinent errors in
    > Event Viewer. Verify that the domain controller is pointing to only itself
    > [or another AD domain controller] as it's preferred dns server and verify
    > that you can access the sysvol share but entering \\dcname\sysvol in the
    run
    > box and you should find at least two policies in the \domain\policies
    > folder. --- Steve
    >
    >
    > "KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
    > news:u46dnX3DZI64IK3fRVn-1w@scnresearch.com...
    > > Hi guys here's the sitrep on what I did. If anyone has any ideas pls let
    > > me
    > > know.
    > >
    > > A few days ago I installed Terminal Services on my Windows Server 2000.
    I
    > > then went into group policy permissions to restrict what people could
    see
    > > and do. So I made a few changes and went to test them. They all worked
    > > great
    > > except for a couple of things so I went to log back on as the admin and
    > > found that the restrictions also affected the admin account. Not good at
    > > all, I talked to a couple of support guys here in town and the only
    thing
    > > we
    > > could come up with to fix it was to restore the system settings from the
    > > pervious days backup. Now this appeared to work but I now get an error
    > > when
    > > trying to access the Domain Controller Security Policy settings and the
    > > Domain Security Policy settings, The following is the error I get;
    "Failed
    > > to open the Group Policy Object. you may not have appropriate rights."
    and
    > > just below that its says "The network path was not found." I also get
    this
    > > error message when I try to open the Group Policy Object; "The domain
    > > controller for Group Policy operations is not available. You may cancel
    > > this
    > > operation for this session or retry using one of the following domain
    > > controller choices: The one with the Operations Master token for the PDC
    > > emulator - The one used by the Active Directory Snap-ins - Use any
    > > available
    > > domain controller"
    > >
    > > Here is a list of the things I've found so far to try and fix the issue,
    > > http://support.microsoft.com/default.aspx?scid=kb;it;263166
    > > http://support.microsoft.com/?kbid=257435#kb3
    > > http://support.microsoft.com/?id=294257
    > >
    > > For the last link, when I went in to look at the policies there were a
    lot
    > > of them that had notebook icon next the them, but when I looked at the
    > > properties of a dozen or so I couldn't see anywhere that the admin
    account
    > > or any other account had been denied.
    > >
    > > Also I was running MMC trying to get to the group policy and when I get
    to
    > > where I can select the group policy snap-in and select it. It shows
    "Local
    > > Computer" as the Group Policy Object. Is this normal? When I click
    browse
    > > I
    > > get this error message; "The domain controller for Group Policy
    operations
    > > is not available. You may cancel this operation for this session or
    retry
    > > using one of the following domain controller choices." I then have 3
    > > choices; "The one with the Operations Master token for the PDC
    emulator. -
    > > The one used by the Active Directory Snap-ins.(this one is grayed out) -
    > > Use
    > > any available domain controller." When I select either option I get this
    > > error; "Failed to find a domain controller. There may be a policy that
    > > prevents you from selecting another domain controller." and the details
    so
    > > this, "The network path was not found." I can click close and I then
    come
    > > to
    > > a window that says Browse for a Group Policy Object and the only choice
    I
    > > have are "This computer" or "Another computer" If I select yes and
    browse
    > > I
    > > can choice my 2000 server computer by name and it then shows that I've
    > > connected to a remote server. Is that what it should do?
    > >
    > > Thanks in advance
    > > Mel
    > >
    > >
    >
    >
  7. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Notice that netdiag reported a problem with dns though netdiag shows you
    have the domain controller pointing to itself as it's preferred dns server.
    Try using the command " netdiag /fix" and then restarting the netlogon
    service to see if it makes that error go away. Open the dns Management
    Console and verify that your dns domain exists, that the _srv records are
    present, and that the domain controllers IP address is shown in A and other
    records for the zone. As far as sysvol, try to access it again after the dns
    problems are resolved and/or use the IP address of the server instead of the
    name to see if you can access it. The command "net share" should also show
    that the sysvol share exists. --- Steve


    "KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
    news:gZ-dnRPH4NSQQajfRVn-gw@scnresearch.com...
    > Steve,
    >
    > Here are the results of the diags:
    > dcdiag
    > C:\Program Files\Support Tools>dcdiag
    >
    > Domain Controller Diagnosis
    >
    > Performing initial setup:
    > Done gathering initial info.
    >
    > Doing initial required tests
    >
    > Testing server: Default-First-Site-Name\DELLSERVER
    > Starting test: Connectivity
    > c0b4daa2-6320-469a-aee5-cc4fb5a1f921._msdcs.admin.ak's server GUID
    > DNS
    > name could not be resolved to an
    > IP address. Check the DNS server, DHCP, server name, etc
    > Although the Guid DNS name
    > (c0b4daa2-6320-469a-aee5-cc4fb5a1f921._msdcs.admin.ktn) couldn't
    > be
    > resolved, the server name (DELLSERVER.admin.ak) resolved to the IP
    > address (192.254.183.50) and was pingable. Check that the IP
    > address
    > is registered correctly with the DNS server.
    > ......................... DELLSERVER failed test Connectivity
    >
    > Doing primary tests
    >
    > Testing server: Default-First-Site-Name\DELLSERVER
    > Skipping all tests, because server DELLSERVER is
    > not responding to directory service requests
    >
    > Running enterprise tests on : admin.ak
    > Starting test: Intersite
    > ......................... admin.ak passed test Intersite
    > Starting test: FsmoCheck
    > ......................... admin.ak passed test FsmoCheck
    >
    > C:\Program Files\Support Tools>
    >
    > netdiag
    > C:\Program Files\Support Tools>netdiag
    >
    > .....................................
    >
    > Computer Name: DELLSERVER
    > DNS Host Name: DELLSERVER.admin.ak
    > System info : Windows 2000 Server (Build 2195)
    > Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
    > List of installed hotfixes :
    > KB329115
    > KB820888
    > KB822831
    > KB823182
    > KB823559
    > KB824105
    > KB824146
    > KB825119
    > KB826232
    > KB828035
    > KB828741
    > KB828749
    > KB835732
    > KB837001
    > KB839643
    > KB839645
    > KB840315
    > KB840987
    > KB841356
    > KB841533
    > KB841872
    > KB841873
    > KB842526
    > KB867282-IE6SP1-20050127.163319
    > KB871250
    > KB873333
    > KB873339
    > KB885250
    > KB885834
    > KB885835
    > KB885836
    > KB887797-OE6SP1-20041112.131144
    > KB888113
    > KB890047
    > KB890175
    > KB891711
    > KB891781
    > Q147222
    > Q828026
    >
    >
    > Netcard queries test . . . . . . . : Passed
    >
    >
    >
    > Per interface results:
    >
    > Adapter : Admin
    >
    > Netcard queries test . . . : Passed
    >
    > Host Name. . . . . . . . . : DELLSERVER
    > IP Address . . . . . . . . : 192.254.183.50
    > Subnet Mask. . . . . . . . : 255.255.255.0
    > Default Gateway. . . . . . : 192.254.183.1
    > Dns Servers. . . . . . . . : 192.254.183.50
    >
    >
    > AutoConfiguration results. . . . . . : Passed
    >
    > Default gateway test . . . : Passed
    >
    > NetBT name test. . . . . . : Passed
    > [WARNING] At least one of the <00> 'WorkStation Service', <03>
    > 'Messenge
    > r Service', <20> 'WINS' names is missing.
    > No remote names have been found.
    >
    > WINS service test. . . . . : Skipped
    > There are no WINS servers configured for this interface.
    >
    > Ipx configration
    > Network Number . . . . : 00000010
    > Node . . . . . . . . . : 00c09f2ce209
    > Frame type . . . . . . : 802.2
    >
    >
    >
    > Adapter : IPX Internal Interface
    >
    > Netcard queries test . . . : Passed
    >
    > Ipx configration
    > Network Number . . . . : f0e1e2fe
    > Node . . . . . . . . . : 000000000001
    > Frame type . . . . . . : Ethernet II
    >
    >
    >
    > Adapter : IpxLoopbackAdapter
    >
    > Netcard queries test . . . : Passed
    >
    > Ipx configration
    > Network Number . . . . : f0e1e2fe
    > Node . . . . . . . . . : 000000000002
    > Frame type . . . . . . : 802.2
    >
    >
    >
    > Adapter : NDISWANIPX
    >
    > Netcard queries test . . . : Passed
    >
    > Ipx configration
    > Network Number . . . . : 00000000
    > Node . . . . . . . . . : 089720524153
    > Frame type . . . . . . : Ethernet II
    >
    >
    >
    >
    > Global results:
    >
    >
    > Domain membership test . . . . . . : Passed
    >
    >
    > NetBT transports test. . . . . . . : Passed
    > List of NetBt transports currently configured:
    > NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    > 1 NetBt transport currently configured.
    >
    >
    > Autonet address test . . . . . . . : Passed
    >
    >
    > IP loopback ping test. . . . . . . : Passed
    >
    >
    > Default gateway test . . . . . . . : Passed
    >
    >
    > NetBT name test. . . . . . . . . . : Passed
    > [WARNING] You don't have a single interface with the <00> 'WorkStation
    > Servi
    > ce', <03> 'Messenger Service', <20> 'WINS' names defined.
    >
    >
    > Winsock test . . . . . . . . . . . : Passed
    >
    >
    > DNS test . . . . . . . . . . . . . : Failed
    > [WARNING] The DNS entries for this DC are not registered correctly on
    > DNS se
    > rver '192.254.183.50'. Please wait for 30 minutes for DNS server
    > replication.
    > [FATAL] No DNS servers have the DNS records for this DC registered.
    >
    >
    > Redir and Browser test . . . . . . : Passed
    > List of NetBt transports currently bound to the Redir
    > NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    > The redir is bound to 1 NetBt transport.
    >
    > List of NetBt transports currently bound to the browser
    > NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    > The browser is bound to 1 NetBt transport.
    >
    >
    > DC discovery test. . . . . . . . . : Passed
    >
    >
    > DC list test . . . . . . . . . . . : Passed
    >
    >
    > Trust relationship test. . . . . . : Skipped
    >
    >
    > Kerberos test. . . . . . . . . . . : Passed
    >
    >
    > LDAP test. . . . . . . . . . . . . : Passed
    >
    >
    > Bindings test. . . . . . . . . . . : Passed
    >
    >
    > WAN configuration test . . . . . . : Skipped
    > No active remote access connections.
    >
    >
    > Modem diagnostics test . . . . . . : Passed
    >
    >
    > Netware configuration
    > You are not logged in to your preferred server .
    > Netware User Name. . . . . . . :
    > Netware Server Name. . . . . . :
    > Netware Tree Name. . . . . . . :
    > Netware Workstation Context. . :
    >
    > IP Security test . . . . . . . . . : Passed
    > IPSec policy service is active, but no policy is assigned.
    >
    >
    > The command completed successfully
    >
    > C:\Program Files\Support Tools>
    >
    > When I did the run \\dellserver.admin.ak\sysvol or as \\admin.ak\sysvol
    > (wasn't sure which was correct) I got the following error message
    > "The network name cannot be found"
    >
    > Thanks again for your help
    > Mel
    >
    >
    >
    >> How did you restore system settings?? An authoritative restore of Active
    >> Directory by booting into Directory Services Restore Mode would be the
    >> way
    >> to do it, but keep in mind that will not change most settings in Local
    >> Security Policy. I would run the support tools netdiag and dcdiag on the
    >> domain controller to see what they report and look for pertinent errors
    >> in
    >> Event Viewer. Verify that the domain controller is pointing to only
    >> itself
    >> [or another AD domain controller] as it's preferred dns server and verify
    >> that you can access the sysvol share but entering \\dcname\sysvol in the
    > run
    >> box and you should find at least two policies in the \domain\policies
    >> folder. --- Steve
    >>
    >>
    >> "KPU News Groups" <sunwolf_ac@yahoo.com> wrote in message
    >> news:u46dnX3DZI64IK3fRVn-1w@scnresearch.com...
    >> > Hi guys here's the sitrep on what I did. If anyone has any ideas pls
    >> > let
    >> > me
    >> > know.
    >> >
    >> > A few days ago I installed Terminal Services on my Windows Server 2000.
    > I
    >> > then went into group policy permissions to restrict what people could
    > see
    >> > and do. So I made a few changes and went to test them. They all worked
    >> > great
    >> > except for a couple of things so I went to log back on as the admin and
    >> > found that the restrictions also affected the admin account. Not good
    >> > at
    >> > all, I talked to a couple of support guys here in town and the only
    > thing
    >> > we
    >> > could come up with to fix it was to restore the system settings from
    >> > the
    >> > pervious days backup. Now this appeared to work but I now get an error
    >> > when
    >> > trying to access the Domain Controller Security Policy settings and the
    >> > Domain Security Policy settings, The following is the error I get;
    > "Failed
    >> > to open the Group Policy Object. you may not have appropriate rights."
    > and
    >> > just below that its says "The network path was not found." I also get
    > this
    >> > error message when I try to open the Group Policy Object; "The domain
    >> > controller for Group Policy operations is not available. You may cancel
    >> > this
    >> > operation for this session or retry using one of the following domain
    >> > controller choices: The one with the Operations Master token for the
    >> > PDC
    >> > emulator - The one used by the Active Directory Snap-ins - Use any
    >> > available
    >> > domain controller"
    >> >
    >> > Here is a list of the things I've found so far to try and fix the
    >> > issue,
    >> > http://support.microsoft.com/default.aspx?scid=kb;it;263166
    >> > http://support.microsoft.com/?kbid=257435#kb3
    >> > http://support.microsoft.com/?id=294257
    >> >
    >> > For the last link, when I went in to look at the policies there were a
    > lot
    >> > of them that had notebook icon next the them, but when I looked at the
    >> > properties of a dozen or so I couldn't see anywhere that the admin
    > account
    >> > or any other account had been denied.
    >> >
    >> > Also I was running MMC trying to get to the group policy and when I get
    > to
    >> > where I can select the group policy snap-in and select it. It shows
    > "Local
    >> > Computer" as the Group Policy Object. Is this normal? When I click
    > browse
    >> > I
    >> > get this error message; "The domain controller for Group Policy
    > operations
    >> > is not available. You may cancel this operation for this session or
    > retry
    >> > using one of the following domain controller choices." I then have 3
    >> > choices; "The one with the Operations Master token for the PDC
    > emulator. -
    >> > The one used by the Active Directory Snap-ins.(this one is grayed
    >> > out) -
    >> > Use
    >> > any available domain controller." When I select either option I get
    >> > this
    >> > error; "Failed to find a domain controller. There may be a policy that
    >> > prevents you from selecting another domain controller." and the details
    > so
    >> > this, "The network path was not found." I can click close and I then
    > come
    >> > to
    >> > a window that says Browse for a Group Policy Object and the only choice
    > I
    >> > have are "This computer" or "Another computer" If I select yes and
    > browse
    >> > I
    >> > can choice my 2000 server computer by name and it then shows that I've
    >> > connected to a remote server. Is that what it should do?
    >> >
    >> > Thanks in advance
    >> > Mel
    >> >
    >> >
    >>
    >>
    >
    >
  8. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Well I tried the netdiag /fix with no luck the results posted below. I've
    also posted results from nslookup and ipconfig /all and the net share list.
    The sysvol does not show in the list. When I tried to access the sysvol with
    IP I got the same network path not found error. Also as far as I can
    determine the DNS info show the correct info. But I also wouldn't know if it
    wasn't. Under DNS tree it shows DELLSERVER under that it has a forward zone
    and a reverse zone. Under forward it show admin.ak and under that I see 3
    entries.
    Name - (same as parent folder); Type - Name Server; Data -
    dellserver.admin.ak
    Name - (same as parent folder); Type - Start of Authorirty; Data - [4],
    dellseerver.admin.ak., admin.admin.ak.
    Name - dellserver; Type - Host; Data - 192.254.183.50

    The reverse zone has under it 192.254.183.x Subnet. In that folder are 2
    entries the same as the first 2 from the forward folder.

    When I check properties on these items under the NAme Servers tab it shows
    dellserver.admin.ak [192.254.183.50]

    Thanks once again for your help. Below are the results of the diags

    Mel

    nslookup
    C:\Program Files\Support Tools>nslookup
    *** Can't find server name for address 192.254.183.50: Non-existent domain
    *** Default servers are not available
    Default Server: UnKnown
    Address: 192.254.183.50

    >

    ipconfig /all
    C:\Program Files\Support Tools>ipconfig /all

    Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : DELLSERVER
    Primary DNS Suffix . . . . . . . : admin.ak
    Node Type . . . . . . . . . . . . : Mixed
    IP Routing Enabled. . . . . . . . : Yes
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : admin.ak

    Ethernet adapter Admin:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
    Connect
    ion
    Physical Address. . . . . . . . . : 00-C0-9F-2C-E2-09
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.254.183.50
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.254.183.1
    DNS Servers . . . . . . . . . . . : 192.254.183.50

    C:\Program Files\Support Tools>

    net share
    C:\Program Files\Support Tools>net share

    Share name Resource Remark

    ----------------------------------------------------------------------------
    ---
    G$ G:\ Default share
    C$ C:\ Default share
    IPC$ Remote IPC
    D$ D:\ Default share
    I$ I:\ Default share
    ADMIN$ C:\WINNT Remote Admin
    E$ E:\ Default share
    H$ H:\ Default share
    Accounting E:\
    DataFolders H:\
    Lotus123 I:\
    Payroll G:\
    VPHOME C:\Program Files\Symantec AntiVirus
    Symantec AntiVirus
    VPLOGON C:\Program Files\Symantec AntiVirus\logon
    Symantec AntiVirus
    The command completed successfully.


    C:\Program Files\Support Tools>

    netdiag /fix
    C:\Program Files\Support Tools>netdiag /fix

    ......................................

    Computer Name: DELLSERVER
    DNS Host Name: DELLSERVER.admin.ak
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
    List of installed hotfixes :
    KB329115
    KB820888
    KB822831
    KB823182
    KB823559
    KB824105
    KB824146
    KB825119
    KB826232
    KB828035
    KB828741
    KB828749
    KB835732
    KB837001
    KB839643
    KB839645
    KB840315
    KB840987
    KB841356
    KB841533
    KB841872
    KB841873
    KB842526
    KB867282-IE6SP1-20050127.163319
    KB871250
    KB873333
    KB873339
    KB885250
    KB885834
    KB885835
    KB885836
    KB887797-OE6SP1-20041112.131144
    KB888113
    KB890047
    KB890175
    KB891711
    KB891781
    Q147222
    Q828026


    Netcard queries test . . . . . . . : Passed


    Per interface results:

    Adapter : Admin

    Netcard queries test . . . : Passed

    Host Name. . . . . . . . . : DELLSERVER
    IP Address . . . . . . . . : 192.254.183.50
    Subnet Mask. . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . : 192.254.183.1
    Dns Servers. . . . . . . . : 192.254.183.50


    AutoConfiguration results. . . . . . : Passed

    Default gateway test . . . : Passed

    NetBT name test. . . . . . : Passed
    [WARNING] At least one of the <00> 'WorkStation Service', <03>
    'Messenge
    r Service', <20> 'WINS' names is missing.
    No remote names have been found.

    WINS service test. . . . . : Skipped
    There are no WINS servers configured for this interface.

    Ipx configration
    Network Number . . . . : 00000010
    Node . . . . . . . . . : 00c09f2ce209
    Frame type . . . . . . : 802.2


    Adapter : IPX Internal Interface

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : f0e1e2fe
    Node . . . . . . . . . : 000000000001
    Frame type . . . . . . : Ethernet II


    Adapter : IpxLoopbackAdapter

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : f0e1e2fe
    Node . . . . . . . . . : 000000000002
    Frame type . . . . . . : 802.2


    Adapter : NDISWANIPX

    Netcard queries test . . . : Passed

    Ipx configration
    Network Number . . . . : 00000000
    Node . . . . . . . . . : 089720524153
    Frame type . . . . . . : Ethernet II


    Global results:


    Domain membership test . . . . . . : Passed


    NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
    NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    1 NetBt transport currently configured.


    Autonet address test . . . . . . . : Passed


    IP loopback ping test. . . . . . . : Passed


    Default gateway test . . . . . . . : Passed


    NetBT name test. . . . . . . . . . : Passed
    [WARNING] You don't have a single interface with the <00> 'WorkStation
    Servi
    ce', <03> 'Messenger Service', <20> 'WINS' names defined.


    Winsock test . . . . . . . . . . . : Passed


    DNS test . . . . . . . . . . . . . : Failed
    [WARNING] Cannot find a primary authoritative DNS server for the
    name
    'DELLSERVER.admin.ak.'. [RCODE_SERVER_FAILURE]
    The name 'DELLSERVER.admin.ak.' may not be registered in DNS.
    [FATAL] Failed to fix: DC DNS entry admin.ak. re-registeration on DNS
    serve
    r '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.admin.ak.
    re-registeration o
    n DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry
    _ldap._tcp.Default-First-Site-Name._site
    s.admin.ak. re-registeration on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.pdc._msdcs.admin.ak.
    re-regi
    steration on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.gc._msdcs.admin.ak.
    re-regis
    teration on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry
    _ldap._tcp.Default-First-Site-Name._site
    s.gc._msdcs.admin.ak. re-registeration on DNS server '192.254.183.50'
    failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry
    _ldap._tcp.cc9cf395-5261-4837-81af-b3f4d
    a938d0f.domains._msdcs.admin.ak. re-registeration on DNS server
    '192.254.183.50
    ' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry gc._msdcs.admin.ak. re-registeration
    on
    DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry
    c0b4daa2-6320-469a-aee5-cc4fb5a1f921._ms
    dcs.admin.ak. re-registeration on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.dc._msdcs.admin.ak.
    re-r
    egisteration on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry
    _kerberos._tcp.Default-First-Site-Name._
    sites.dc._msdcs.admin.ak. re-registeration on DNS server '192.254.183.50'
    faile
    d.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _ldap._tcp.dc._msdcs.admin.ak.
    re-regis
    teration on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry
    _ldap._tcp.Default-First-Site-Name._site
    s.dc._msdcs.admin.ak. re-registeration on DNS server '192.254.183.50'
    failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._tcp.admin.ak.
    re-registerati
    on on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry
    _kerberos._tcp.Default-First-Site-Name._
    sites.admin.ak. re-registeration on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _gc._tcp.admin.ak. re-registeration
    on
    DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry
    _gc._tcp.Default-First-Site-Name._sites.
    admin.ak. re-registeration on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kerberos._udp.admin.ak.
    re-registerati
    on on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kpasswd._tcp.admin.ak.
    re-registeratio
    n on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Failed to fix: DC DNS entry _kpasswd._udp.admin.ak.
    re-registeratio
    n on DNS server '192.254.183.50' failed.
    DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE
    [FATAL] Fix Failed: netdiag failed to re-register missing DNS entries
    for th
    is DC on DNS server '192.254.183.50'.
    [FATAL] No DNS servers have the DNS records for this DC registered.


    Redir and Browser test . . . . . . : Passed
    List of NetBt transports currently bound to the Redir
    NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    The redir is bound to 1 NetBt transport.

    List of NetBt transports currently bound to the browser
    NetBT_Tcpip_{24F42736-5981-4E7A-8FEE-80B7DB9CF7BF}
    The browser is bound to 1 NetBt transport.


    DC discovery test. . . . . . . . . : Passed


    DC list test . . . . . . . . . . . : Passed


    Trust relationship test. . . . . . : Skipped


    Kerberos test. . . . . . . . . . . : Passed


    LDAP test. . . . . . . . . . . . . : Passed


    Bindings test. . . . . . . . . . . : Passed


    WAN configuration test . . . . . . : Skipped
    No active remote access connections.


    Modem diagnostics test . . . . . . : Passed


    Netware configuration
    You are not logged in to your preferred server .
    Netware User Name. . . . . . . :
    Netware Server Name. . . . . . :
    Netware Tree Name. . . . . . . :
    Netware Workstation Context. . :

    IP Security test . . . . . . . . . : Passed
    IPSec policy service is active, but no policy is assigned.


    The command completed successfully

    C:\Program Files\Support Tools>

    > Notice that netdiag reported a problem with dns though netdiag shows you
    > have the domain controller pointing to itself as it's preferred dns
    server.
    > Try using the command " netdiag /fix" and then restarting the netlogon
    > service to see if it makes that error go away. Open the dns Management
    > Console and verify that your dns domain exists, that the _srv records are
    > present, and that the domain controllers IP address is shown in A and
    other
    > records for the zone. As far as sysvol, try to access it again after the
    dns
    > problems are resolved and/or use the IP address of the server instead of
    the
    > name to see if you can access it. The command "net share" should also show
    > that the sysvol share exists. --- Steve
Ask a new question

Read More

Policy Domain Controller Windows