| Author | Messages | |
sazelton
Posts:2
 | | 07/22/2009 9:02 PM |
| All,
I am on Windows 2008 SP2, and I am trying to edit the Default Domain Policy for our domain. For some reason I am unable to save my edits. After changing the value of Account Lockout Threshold (for example) and attempting to save, I get the following error with "Security Templates" as the window title:
Access Denied.
Failed to save
\\example.com\sysvol\example.com\Policies\{31B2F34 0-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
Make sure that you have the right permission to this object.
I am a member of both the Enterprise Admins and Domain Admins, and I have checked the permissions in AD and on the file system. There should be no reason I cannot edit this file.
Are any of you familiar with this error?
Thanks
Sean
| | | |
| Timo
Posts:57
| | 07/23/2009 6:48 AM |
| I haven't seen the error message before, but I think (if I remeber correcly)
that the best practise is not modify the Default Domain Policy, but to
create a separate GPO where you make the changes and link it to
Domain-level. Also make sure you have the right link order (for the new GPO
it should be 1 and for Default Domain Policy 2, that is if you want to
override settings in Default Domain Policy), meaning that the settings in
the new GPO you created are applied after the Default Domain Policy. Someone
correct me if I'm wrong. I know this does not really answer your question,
but might help you anyway.
- Timo
2009/7/22 Sean Azelton <xxxxxxxxxxxxxxxx>
> All,
>
> I am on Windows 2008 SP2, and I am trying to edit the Default Domain Policy
> for our domain. For some reason I am unable to save my edits. After
> changing the value of Account Lockout Threshold (for example) and attempting
> to save, I get the following error with "Security Templates" as the window
> title:
>
> Access Denied.
> Failed to save
>
> \\example.com\sysvol\example.com\Policies\{31B2F34
> 0-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf.
>
> Make sure that you have the right permission to this object.
>
>
> I am a member of both the Enterprise Admins and Domain Admins, and I have
> checked the permissions in AD and on the file system. There should be no
> reason I cannot edit this file.
>
> Are any of you familiar with this error?
>
> Thanks
>
> Sean
>
| | | |
| Timo
Posts:57
| | 07/23/2009 6:48 AM |
| I haven't seen the error message before, but I think (if I remeber correcly)
that the best practise is not modify the Default Domain Policy, but to
create a separate GPO where you make the changes and link it to
Domain-level. Also make sure you have the right link order (for the new GPO
it should be 1 and for Default Domain Policy 2, that is if you want to
override settings in Default Domain Policy), meaning that the settings in
the new GPO you created are applied after the Default Domain Policy. Someone
correct me if I'm wrong. I know this does not really answer your question,
but might help you anyway.
- Timo
2009/7/22 Sean Azelton <xxxxxxxxxxxxxxxx>
> All,
>
> I am on Windows 2008 SP2, and I am trying to edit the Default Domain Policy
> for our domain. For some reason I am unable to save my edits. After
> changing the value of Account Lockout Threshold (for example) and attempting
> to save, I get the following error with "Security Templates" as the window
> title:
>
> Access Denied.
> Failed to save
>
> \\example.com\sysvol\example.com\Policies\{31B2F34
> 0-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf.
>
> Make sure that you have the right permission to this object.
>
>
> I am a member of both the Enterprise Admins and Domain Admins, and I have
> checked the permissions in AD and on the file system. There should be no
> reason I cannot edit this file.
>
> Are any of you familiar with this error?
>
> Thanks
>
> Sean
>
| | | |
| Timo
Posts:57
| | 07/23/2009 6:48 AM |
| I haven't seen the error message before, but I think (if I remeber correcly)
that the best practise is not modify the Default Domain Policy, but to
create a separate GPO where you make the changes and link it to
Domain-level. Also make sure you have the right link order (for the new GPO
it should be 1 and for Default Domain Policy 2, that is if you want to
override settings in Default Domain Policy), meaning that the settings in
the new GPO you created are applied after the Default Domain Policy. Someone
correct me if I'm wrong. I know this does not really answer your question,
but might help you anyway.
- Timo
2009/7/22 Sean Azelton <xxxxxxxxxxxxxxxx>
> All,
>
> I am on Windows 2008 SP2, and I am trying to edit the Default Domain Policy
> for our domain. For some reason I am unable to save my edits. After
> changing the value of Account Lockout Threshold (for example) and attempting
> to save, I get the following error with "Security Templates" as the window
> title:
>
> Access Denied.
> Failed to save
>
> \\example.com\sysvol\example.com\Policies\{31B2F34
> 0-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf.
>
> Make sure that you have the right permission to this object.
>
>
> I am a member of both the Enterprise Admins and Domain Admins, and I have
> checked the permissions in AD and on the file system. There should be no
> reason I cannot edit this file.
>
> Are any of you familiar with this error?
>
> Thanks
>
> Sean
>
| | | |
| sheynes
Posts:3
| | 07/23/2009 10:24 AM |
| I get this if I try and edit the policy from any other DC except the first one created which has all the roles in the Domain.
Steve
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Timo Ylitalo
Sent: 23 July 2009 06:47
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Access denied - failed to save ...
I haven't seen the error message before, but I think (if I remeber correcly) that the best practise is not modify the Default Domain Policy, but to create a separate GPO where you make the changes and link it to Domain-level. Also make sure you have the right link order (for the new GPO it should be 1 and for Default Domain Policy 2, that is if you want to override settings in Default Domain Policy), meaning that the settings in the new GPO you created are applied after the Default Domain Policy. Someone correct me if I'm wrong. I know this does not really answer your question, but might help you anyway.
- Timo
2009/7/22 Sean Azelton <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>>
All,
I am on Windows 2008 SP2, and I am trying to edit the Default Domain Policy for our domain. For some reason I am unable to save my edits. After changing the value of Account Lockout Threshold (for example) and attempting to save, I get the following error with "Security Templates" as the window title:
Access Denied.
Failed to save
\\example.com<http://example.com/>\sysvol\example.com<http://example.com/>\Policies\{31B2F34 0-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
Make sure that you have the right permission to this object.
I am a member of both the Enterprise Admins and Domain Admins, and I have checked the permissions in AD and on the file system. There should be no reason I cannot edit this file.
Are any of you familiar with this error?
Thanks
Sean
Click here<https://www.mailcontrol.com/sr/LW1Z7MNdTbTTndxI!oX7Uqbu1BVQFfBHb71NFGytbJ7NqtgS97Xycb7et0pWb6yWWtaPVJje3CIjYo47nA1+0g==> to report this email as spam.
| | | |
| chipster
Posts:5
| | 07/23/2009 1:05 PM |
| I was updating a policy on my root level the other day (2003 domain) and had the same thing. It took me an hour to get all my changes done. I ran process monitor on the DC and watched as clients would open the policy and lock the file. We have 27000+ computer accounts and the PDCem for GPO will authenticate about 5000 of them depending on how some remote ones are coming in. The problem seemed to be more that my slower clients on a remote solution were locking the .pol file preventing updates.
What I ended up doing was switcing to another DC and making all my changes, but then nothing would replicate. Then I went back to the main DC and kept refreshing computer management and was booting off clients that were locking that file. It was finally unlocked long enough on there to replicate from the other DC and then things were fine.
Try watching with process monitor and see if you can identify a source that's locking the file. I suspect you might be running into something similar depending on the size of your domain.
__________________________________________
Chip "The Automator" Gandy
Systems Something or Another - Systems Management
Cox Communications Atlanta, MIS
Voice: 404-847-6039 Fax: 404-269-3010
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Steve Heynes
Sent: Thursday, July 23, 2009 5:22 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Access denied - failed to save ...
I get this if I try and edit the policy from any other DC except the first one created which has all the roles in the Domain.
Steve
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Timo Ylitalo
Sent: 23 July 2009 06:47
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] Access denied - failed to save ...
I haven't seen the error message before, but I think (if I remeber correcly) that the best practise is not modify the Default Domain Policy, but to create a separate GPO where you make the changes and link it to Domain-level. Also make sure you have the right link order (for the new GPO it should be 1 and for Default Domain Policy 2, that is if you want to override settings in Default Domain Policy), meaning that the settings in the new GPO you created are applied after the Default Domain Policy. Someone correct me if I'm wrong. I know this does not really answer your question, but might help you anyway.
- Timo
2009/7/22 Sean Azelton <xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>>
All,
I am on Windows 2008 SP2, and I am trying to edit the Default Domain Policy for our domain. For some reason I am unable to save my edits. After changing the value of Account Lockout Threshold (for example) and attempting to save, I get the following error with "Security Templates" as the window title:
Access Denied.
Failed to save
\\example.com<http://example.com/>\sysvol\example.com<http://example.com/>\Policies\{31B2F34 0-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf.
Make sure that you have the right permission to this object.
I am a member of both the Enterprise Admins and Domain Admins, and I have checked the permissions in AD and on the file system. There should be no reason I cannot edit this file.
Are any of you familiar with this error?
Thanks
Sean
Click here<https://www.mailcontrol.com/sr/LW1Z7MNdTbTTndxI!oX7Uqbu1BVQFfBHb71NFGytbJ7NqtgS97Xycb7et0pWb6yWWtaPVJje3CIjYo47nA1+0g==> to report this email as spam.
| | | |
| sazelton
Posts:2
| | 07/23/2009 2:21 PM |
| Thank you all for the suggestions.
I have tried editing this from every DC we have, as well as from a non-
DC using RSAT Group Policy tools, and I get the same error from all.
The domain is being used very little right now - it is a domain I
inherited from the previous Sys Admin that is used very little, and I
am trying to comb through it for any issues before we go fully
production with it. Needless to say - this particular error is
bothering me a bit.
I fully agree with not using the Default Domain Policy , but instead
creating a new "Default" - but a number of settings were created prior
to my arrival in this GPO, and I need to reset them back to normal
before I can start worrying about a new policy.
Does anyone know if Dcgpofix works in Server 2008, and if there are
any gotchas? I have not used it - just read about it.
Thanks!
On Jul 23, 2009, at 7:03 AM, <xxxxxxxxxxxxxxxx> wrote:
> I was updating a policy on my root level the other day (2003 domain)
> and had the same thing. It took me an hour to get all my changes
> done. I ran process monitor on the DC and watched as clients would
> open the policy and lock the file. We have 27000+ computer accounts
> and the PDCem for GPO will authenticate about 5000 of them depending
> on how some remote ones are coming in. The problem seemed to be
> more that my slower clients on a remote solution were locking
> the .pol file preventing updates.
>
>
>
> What I ended up doing was switcing to another DC and making all my
> changes, but then nothing would replicate. Then I went back to the
> main DC and kept refreshing computer management and was booting off
> clients that were locking that file. It was finally unlocked long
> enough on there to replicate from the other DC and then things were
> fine.
>
>
>
> Try watching with process monitor and see if you can identify a
> source that's locking the file. I suspect you might be running into
> something similar depending on the size of your domain.
>
>
>
> __________________________________________
> Chip "The Automator" Gandy
> Systems Something or Another - Systems Management
> Cox Communications Atlanta, MIS
> Voice: 404-847-6039 Fax: 404-269-3010
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx
> ] On Behalf Of Steve Heynes
> Sent: Thursday, July 23, 2009 5:22 AM
> To: xxxxxxxxxxxxxxxx
> Subject: RE: [gptalk] Access denied - failed to save ...
>
>
>
> I get this if I try and edit the policy from any other DC except the
> first one created which has all the roles in the Domain.
>
>
>
> Steve
>
>
>
> From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx
> ] On Behalf Of Timo Ylitalo
> Sent: 23 July 2009 06:47
> To: xxxxxxxxxxxxxxxx
> Subject: Re: [gptalk] Access denied - failed to save ...
>
>
>
> I haven't seen the error message before, but I think (if I remeber
> correcly) that the best practise is not modify the Default Domain
> Policy, but to create a separate GPO where you make the changes and
> link it to Domain-level. Also make sure you have the right link
> order (for the new GPO it should be 1 and for Default Domain Policy
> 2, that is if you want to override settings in Default Domain
> Policy), meaning that the settings in the new GPO you created are
> applied after the Default Domain Policy. Someone correct me if I'm
> wrong. I know this does not really answer your question, but might
> help you anyway.
>
>
>
> - Timo
>
>
>
>
>
>
> 2009/7/22 Sean Azelton <xxxxxxxxxxxxxxxx>
>
> All,
>
> I am on Windows 2008 SP2, and I am trying to edit the Default Domain
> Policy for our domain. For some reason I am unable to save my
> edits. After changing the value of Account Lockout Threshold (for
> example) and attempting to save, I get the following error with
> "Security Templates" as the window title:
>
> Access Denied.
> Failed to save
>
> \\example.com\sysvol\example.com\Policies\{31B2F34
> 0-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
> \GptTmpl.inf.
>
> Make sure that you have the right permission to this object.
>
>
> I am a member of both the Enterprise Admins and Domain Admins, and I
> have checked the permissions in AD and on the file system. There
> should be no reason I cannot edit this file.
>
> Are any of you familiar with this error?
>
> Thanks
>
> Sean
>
>
>
> Click here to report this email as spam.
>
| | | |
|
|