Cannot access security settings in Win 2003

Discussion in 'Server Networking' started by Mikey_N, Jan 26, 2005.

  1. Mikey_N

    Mikey_N Guest

    I want to manipulate some of the security settings in Win2003 server (eval
    version) (domain security policty, digital signatures, etc). I am logged on
    with an account that has admin, domain admin, enterprise admin, group
    policy, etc. etc priveleges but these options are not avaible - they are
    greyed out and disabled and when trying to access domain security policy I
    get an error messages 'access denied.." I had been logging on through remote
    desktop and thought that perhaps that was the reason but then I logged on
    directly to the physical console with same results. The server is Domain
    Controller and also DNS and DHCP server.

    What is wrong? How do I access these settings??

    --

    Feel free to contact me with any questions or concerns.
    ________________________________________

    MN @ Hzn
    212-480-7000 x17
     
    Mikey_N, Jan 26, 2005
    #1
    1. Advertisements

  2. Doug Sherman [MVP], Jan 26, 2005
    #2
    1. Advertisements

  3. Can you access Domain Controller Security Policy? Check Event Viewer for any
    pertinent errors and check your permissions to the default domain GPO in AD
    Users and Computers by finding the domain, right click to bring up
    properties/Group Policy/properties -security to make sure domain admins have
    at least read/write permissions. While there try to use edit to manage
    Domain Security Policy which is a subset of the default domain GPO/computer
    configuration/Windows settings/security settings. Also try rebooting the
    computer if none of that helps. --- Steve
     
    Steven L Umbach, Jan 26, 2005
    #3
  4. Mikey_N

    Mikey_N Guest

    Cannot get into Domain Controller Security Policy,
    Cannot get in there either. Have rebooted numerous times. There is something
    amiss here - it also takes a very very long time for the Domain users snap
    in to come up - like about five minutes. Don't find anything in the event
    log - I cleared it now and will watch for something now.

    whatever, thanks. I think I'll probably go back to Win2k server - this isn't
    worth the time meanwhile, it can wait until MS gets it straight.



    "
     
    Mikey_N, Jan 27, 2005
    #4
  5. Mikey_N

    Mikey_N Guest

    This was not an upgrade. New machine, first OS installation.
     
    Mikey_N, Jan 27, 2005
    #5
  6. Mikey_N

    Mikey_N Guest

    What I mean by 'get it straight' is that from my experiences, and from what
    I have seen in the newsgroups, they made some bad choices when it came to
    the default settings they use for Win2003 server and they need to fix that.
    Of course it is nothing new to find poor judgement in the default settings
    of MS products!
     
    Mikey_N, Jan 27, 2005
    #6
  7. I have not experienced any problems with Windows 2003. The change in default
    settings was done to increase security substantially though it should not
    cause the problems you are experiencing. If you can open AD Users and
    Computers select view to check that advanced settings are shown. The go to
    the system folder and find the policies subfolder. There are some long
    numbers there that are your GPO's and there should be at least two. Check
    the properties to make sure domain admins have read, write, create child,
    delete child to all of them.

    Verify that the domain controller is pointing to itself as it's only
    preferred dns server and check dns for the existence of the domain zone and
    the _srv records for the domain. Run the support tools netdiag and dcdiag on
    the domain controller to see if any problems are found. They are on the
    install disk in the support/tools folder where you have to run the setup
    there. Verify the existence of the sysvol share. You should be able to see
    it and access it in Network Places. Go to \windows\sysvol to make sure
    administrators have full control permissions to that folder and the
    subfolders and also full control permissions to the sysvol share. There
    should not be any deny permissions in those folders. The other thing I would
    check is that domain admins is a member of the administrators group. Another
    possibility is that you have locked down the server with Group Policy and it
    is applying to administrators also. --- Steve
     
    Steven L Umbach, Jan 27, 2005
    #7
  8. Mikey_N

    Mikey_N Guest

    Thanks for all your help. Maybe I shouldn't blame MS - I am a developer by
    trade not a network professional so I don't have extensive knowledge, just
    what I have picked up over the years from working and developing on MS
    network platforms. It seems something is seriously amiss with the config of
    the machine, I found stacks of messages like the following (below at end of
    this message) in the applications event log, appearing at 5 minute
    intervals.In addition there is extremely long delay when accessing files on
    the DC from workstations - like 5 minutes to browse one small text file.
    That is why I wanted to change the security settings - others have reported
    similar problems and were advised to turn off digital signatures on the
    server security policies. I was also experiencing extremely long log on
    times (applyling computer settings.... for about two minutes or more) but I
    fixed that by configuring the workstations to point explicitely to the DC as
    the DNS server instead of automatic detection. But the file access problems
    remain.


    ____________________________________________________________________


    Windows cannot query for the list of Group Policy objects. Check the event
    log for possible messages previously logged by the policy engine that
    describes the reason for this.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    ________________________________________________________________________

    Windows cannot access the file gpt.ini for GPO
    CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MikeyNach
    ,DC=Net. The file must be present at the location
    <\\MikeyNach.Net\sysvol\MikeyNach.Net\Policies\{31B2F340-016D-11D2-945F-00C0
    4FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy
    processing aborted.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
     
    Mikey_N, Jan 27, 2005
    #8
  9. Mikey_N

    Mikey_N Guest

    Thanks for all your help. Maybe I shouldn't blame MS - I am a developer by
    trade not a network professional so I don't have extensive knowledge, just
    what I have picked up over the years from working and developing on MS
    network platforms. It seems something is seriously amiss with the config of
    the machine, I found stacks of messages like the following (below at end of
    this message) in the applications event log, appearing at 5 minute
    intervals.In addition there is extremely long delay when accessing files on
    the DC from workstations - like 5 minutes to browse one small text file.
    That is why I wanted to change the security settings - others have reported
    similar problems and were advised to turn off digital signatures on the
    server security policies. I was also experiencing extremely long log on
    times (applyling computer settings.... for about two minutes or more) but I
    fixed that by configuring the workstations to point explicitely to the DC as
    the DNS server instead of automatic detection. But the file access problems
    remain.


    ____________________________________________________________________


    Windows cannot query for the list of Group Policy objects. Check the event
    log for possible messages previously logged by the policy engine that
    describes the reason for this.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    ________________________________________________________________________

    Windows cannot access the file gpt.ini for GPO
    CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MikeyNach
    ,DC=Net. The file must be present at the location
    <\\MikeyNach.Net\sysvol\MikeyNach.Net\Policies\{31B2F340-016D-11D2-945F-00C0
    4FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy
    processing aborted.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
     
    Mikey_N, Jan 27, 2005
    #9
  10. Well when frustrated we all tend to blame the source of the frustration, I
    can certainly understand that.

    Did you have a change to use the netdiag and dcdiag tools as I suggested.
    That could be very helpful in determining the general health of the domain
    and domain controller as would verifying the existence of the sysvol share
    [very important] and it's permissions. When you go to Network Neighborhood
    while logged onto the domain controller you should see the sysvol share and
    then be able to drill down to the file referenced as in sysvol\domain
    name\policies\31B2...\gpt.ini to see if you can access it. From the
    description of your problem it seems as if the sysvol share does not exist,
    permissions are too restrictive, or the default domain policy has been
    deleted. If the sysvol share does not exist, see the link below on how to
    recreate it with a registry modification. If the sysvol share exists but
    31B2F340-016D-11D2-945F-00C04FB984F9 does not exist then the default domain
    policy is not linked to the domain or it has been deleted. You can use AD
    Users and Computers, select the domain - right click/properties/Group Policy
    to see if the default domain GPO is there. If it is not, select "add" to see
    if you can find it and then link it to the domain container. If it can not
    be found you use the command dcgpofix.exe on the domain controller to
    restore it. --- Steve

    http://www.jsiinc.com/SUBG/tip3300/rh3304.htm -- recreate sysvol share.
     
    Steven L Umbach, Jan 27, 2005
    #10
  11. Mikey_N

    Mikey_N Guest

    No I did not have a chance to investigate too much. I will over the weekend.
    It's not that important because it is only a small test system and I can
    trash it and resinstall if necessary. However I would like to understand and
    maybe fix the problem if possible, for my own knowledge and personal
    gratification - I write mostly server side code for high volume business
    applications but it never hurts to learn something new and sometimes I am
    called upon to get involved with someone's network, etc.

    Thanks again

    --

    Feel free to contact me with any questions or concerns.
    ________________________________________

    MN @ Hzn
    212-480-7000 x17
     
    Mikey_N, Jan 27, 2005
    #11
  12. Cool. Best wishes in your code writing endeavors. --- Steve


     
    Steven L Umbach, Jan 28, 2005
    #12
  13. Mikey_N

    Mikey_N Guest

    BTW the sysvol share is there and visible everywhere, and so is the file
    gpt.ini, inside the folder named with the GUID the error message refers to.

    But something is very wrong because I wanted to look around in some of the
    other files there and a login prompt came up even though I was already on
    the DC console with admin rights, etc. ! I entered the user name and pword
    again and it didn't recognize the login. So I will poke around a bit more
    but I don't know what's going on - this looks like a 'do over'... I probably
    unwittingly trashed or disabled something in the course of my experiments
    and explorations.

    thanks again
     
    Mikey_N, Jan 28, 2005
    #13
  14. Something must have got messed up with folder/file permissions. I believe
    you said this is a test domain and Windows 2003 Server. I would try using
    the dcgpofix.exe command to restore the domain/domain controller GPO's which
    would include security policy. I don't know if it will correct permissions
    problems by resetting them to default but you may want to give it a look.
    You could also manually try to correct permissions which you should be able
    to do so as an administrator even if you do not have explicit permissions.
    Just highlight the folder, right click and select properties/security.
    Administrators and system should have full control permissions to any file
    or folder in the system folder. I would also verify group membership of the
    account you are logged onto the domain controller. Use the command " net
    user username " [the name you are logged on with] to make sure that it shows
    as being in the domain admins group. Then use " net localgroup
    administrators " to make sure that domain admins is shown as a group member.
    Sometimes the administrator account gets renamed and a regular user account
    is renamed to administrator [ to confuse hackers ] . Then as time goes by
    that is forgotten and we logon as administrator and are using a regular user
    account - I have done that myself. --- Steve

    http://www.jsiinc.com/SUBM/tip6400/rh6493.htm -- dcgpofix
     
    Steven L Umbach, Jan 29, 2005
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.