Need help on GPO

[hons]

I have a 2003 Network with several DCs.

Few days before when I try to open the GPO Edit (GPMC), it comes out error message

Is there anybody can help me resolve this problem??

Thanks.

[nmX.Memnoch]

Check your Event Logs for any error messages related to replication and/or group policies.

[hons]

I did try to look for the problem from event log but it didn't say anything about that. I used the "gpotool" and it says "error found" but didn't have detail.

The problem happened since I de-promo a DC and promo again. After I finish the dcpromo, I found the gpmc comes out the error. I check on the gpmc that it only have the "Default Domain policy" and "Default Domain Controller Policy" all other gpos are lost. I tried to add again, after I added a policy when I want to edit, it comes out the above message.

Is there any way I can cleanup the old policies and re-create new one?? Or any utilities can re-pair the GPO system??? It seems like I screwed up the Active Directory!!!

Thanks.

[adamt]

Are you a member of the Domain Admins group?

Do you have permissions on the various GPT.INI files in the SYSVOL shares?

What GPOs does RSOP.MSC show when you're logged in?

Make sure you're checking the logs on the DC that's authenticating you, which isn't necessarily the one you're logged in to.

[hons]

I found an error from another DC which incharge the logon process :

""Windows cannot access the file gpt.ini for GPO cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=aaaa,DC=bbbb,DC=xxx. The file must be present at the location <\\server1.aaaa.bbbb.xxx\sysvol\aaaa.bbbb.xxx\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (There is a time and/or date difference between the client and server. ). Group Policy processing aborted.""

It doesn't look likke is related. Actually I'm trying to fix another problem on the time sync because we have a "Intranet" that have NO external connection to the external time server. I want to setup one of the DC as time source and all other DCs and PCs get time from it but still not success.

I am using "Administrator" login and when I check the GPT.ini, I have full control of the files.

When run RSOP.msc, it comes out "Administrator in server2-RSOP but didn't show any GPOs.

Any clue???

Edited October 5, 2007 by hons

[adamt]

Fix the time problem first, as this can cause problems with GPOs (and many other things in AD).

On the affected servers and workstations, login as admin and run:

net time /set /y

in the command prompt

Also - what permissions do non-admin users have to those folders with GPTs in them?

[hons]

Thanks for the reply.

I run the command.

The right for the GPT.ini is users can read and exectue, Admin with full control.

Thanks again for all your help.

[adamt]

After synching the time, did it solve the problem?

[hons]

NO!! Problem still there!!

It seems when I try to create new GPO the problem occure. I tried to open the "Default Domain Policy" it didn't give error. I tried to backup the policy and let the new policy import the setting from the backup but not work.

Any ideas????

[hons]

Anybody can Help????

[cluberti]

What rights does your user account have (do you have schema admin rights in the domain?), and what permissions does your account have against the sysvol folder and subfolders on the DC?

[hons]

These are the information from the DC, hope it helps.

I'm using "Administrator" to login so it suppose have all the rights needed. Also, I can edit the Default GPO and before the problem started, I can create new GPOs.

Thanks again for the help.

[touchstone_81]

well had the same problem some time back and back then what i did was to take the simpleton route and restart the DC voila it was working. well things may be different in your case bu hey just a thought.

[adamt]

These are the information from the DC, hope it helps.

I'm using "Administrator" to login so it suppose have all the rights needed. Also, I can edit the Default GPO and before the problem started, I can create new GPOs.

Have you tried running "dcdiag /v" on the domain controller and "netdiag /v" on an affected workstation? What do they tell you?

Might be easier to restore a copy of SYSVOL from before the problem started and then find the GPOs by their GUIDs and perhaps see what's different about them now.

[hons]

I ran "DCDIAG /V" in a DC and found no error.

I tried to run the "Netdiag /v" but couldn't find the file in the workstation.

I did try to restore the sysvol from tape but after it restored, the GPMC still couldn't see the GPOs.

Any idea??????????