Locked out of Group Policy

By XT John ·
I recently demoted a Windows 2000 server. It had been the backup DC to a
Windows 2003 server. It seemed that the dcpromo went ok, and then the dreaded
1030/1058 Event Id's started. I followed the usual advice of allowing
permissions to the SYSVOL folder, etc. Strange thing was, in the SYSVOL
folder was something I'd never seen before: a folder called
NtFrs_PreExisting__See_EventLog. To make a long story short, I tried to
repair the group policy for the domain and the domain controller; and seem to
be locked out of the administrative templates and dcpol.msc. If I try to
access the dcpol, or create a new group policy object; I get an access denied
no permissions message. If i click on a policy to edit, the areas under
administrative templates are blank (there are no items to show in this view.
is displayed). If I right click on administrative templates to add a
template, I can browse to their location, highlight a template but it will
not copy over (another access is denied message, as well as make sure the
disk is not write-protected...)
What I've done so far.... besides pull my hair out.... gave administrator
full permission to the entire c drive... still get the same message.
Created a new super user, signed in as that user, same problems. DNS is
working fine, the policies are being handed out properly to the users on the
domain, there are no error messages being logged and I've been 'googling' for
days! Any help would be appreciated!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Have you tried

by cmiller5400 In reply to Locked out of Group Polic ...

Have you tried taking ownership of the files/folders? Just a thought...

Collapse -


by wancona In reply to Locked out of Group Polic ...

I had a similar problem just the other day where all my users were unable to access their My Documents folder. Somehow the "everyone" permission was set to read-only. Even the administrators were locked out. Even if we took ownership, we were still locked out. After given "everyone" the right permissions, everything was okay.

Check the everyone permissions, because restrictions take presidence over allowances.

Collapse -

I owe you

by XT John In reply to Everyone

a beer! or pizza... whatever you'd like! I double checked the SYSVOL share, and sure enough, under 'permissions', the only entry was for everyone and they could read. I added the administrator profile and gave it full rights; everything opened back up! This has been 5 straight days of head-banging!

Collapse -

Same problem here

by wancona In reply to I owe you

I had the same similar head-banging problem for about a week also. I had just found the solution last night. So you were pretty lucky.

Collapse -

That begs the question...

by CG IT In reply to Same problem here

how the heck did it get changed?

does someone have access [see the sysvol folder] that shouldn't?

Collapse -

Couldn't figure it out either

by wancona In reply to That begs the question...

We couldn't figure it out why the permissions got changed

Collapse -

The odd

by XT John In reply to That begs the question...

factors in this instance was the Ntfrs... folder that was created in the SYSVOL share, it would appear the current Domain Controller may have been still trying to replicate with the demoted server, and somehow had become corrupt. There is a warning displayed if you run the gpofix tool about permissions possibly being changed. That's the only thing that comes to mind.

Collapse -

It's funny becase once you flag a DC for demotion, replication should stop

by ManiacMan In reply to The odd

to it and any pending updates that were waiting to be written to disk would have already been committed before starting the actual removal process. Could it be that this particular DC that you were removing was having some disk issues in that things weren't getting written to disk properly? Another strike for MS in how one hockey DC could change the permissions of the Everyone group if that's the case. This truly sucks if it's the case here.

Collapse -

Does MS have anythng to say regarding this?

by ManiacMan In reply to That begs the question...

A new stupid bug to deal with perhaps in the OS? I'm getting too old for this nonsense. :^0

Related Discussions

Related Forums