Group policy change – cannot get back into Group policy MMC

Application security
Digital certificates
Identity & Access Management
Instant Messaging
Microsoft Exchange
Microsoft Windows
Patch management
PEN testing
Platform Security
Secure Coding
Security tokens
Single sign-on
SQL Server
vulnerability management
Recently implemented change to group policy recommended by software vendor by the below instructions: 1. Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy. 2. Click Security Settings. 3. Click Local Policies, and then click User Rights Assignment. 4. In the right pane, double-click Impersonate a client after authentication. 5. In the Security Policy Setting window, click Define these policy settings. 6. Click Add, and then click Browse. 7. In the Select Users or Groups window, select the IWAM account name, click Add, and then click OK. The only other change to the server was the 3 most recent Microsoft hotfixes via windows update. Since rebooting, I cannot get back into the Group policy mmc. I am getting several errors in the log files relating to endpoint mapping, RPC and DCOM. Group policy error states that I do not have authority even though I have Enterprise admin permissions on the account I am logging in with. Server cannot be reached by any client and cannot reach internet. Configuration is below: Windows 2003 SBS. Single server domain with 7 clients. AD integrated domain. Server handles DNS, DHCP, File shares, and authentication. No Exchange implemented although pieces were installed with basic SBS install. Any help?

Answer Wiki

Thanks. We'll let you know when a new response is added.

As an add, Have tried DCGPOFIX and got “could not open active directory object LDAP://RootDSE”. Tried to install and run GPOTool, but MSI failed to run.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Kmeister
    I had a similar error, couldn't get anything to run because RPC wasn't functioning. The internet problem was IPSEC services locking it down because it couldn't find the policy. I ended up doing a repair install to get it to go away. Though if anyone has a better idea I would love to hear it.
    0 pointsBadges:
  • Jcan123
    As a rule of thumb: Do not use the "Default Domain Controller Policy" nor the "Default Domain Policy" to apply settings. Instead use a new one and apply it to the right container ex. "Domain Controller" container or Domain Container. This way you do not risk loosing your settings if the Default Policy gets overwritten by a servicepack or update (although this has not happened, there is no guarantee that it will not happen). To me it sounds suspicious to enable Webservice accounts on the Domain Controller. Maybe you can identify the Policy through the SYSVOL share (remember to back up before changing). For changes to be applied you need to manually update the "Serial number" for the Policy. This number is placed in a textfile with only this number in it. However the problem might be related to RPC, so check that all services are running.
    0 pointsBadges:
  • Mstry9
    Maybe it's time to start cfom a fresh new Local GPO. Try this, make adjustments as necessary: CAUSE This issue occurs if the local Group Policy database file is corrupt. RESOLUTION To resolve this issue, use the procedure described in this section to re-create the local Group Policy file. Important Implementing a security template on a domain controller may change the settings of the Default Domain Controller Policy or Default Domain Policy. The applied template may overwrite permissions on new files, registry keys and system services created by other programs. Restoring these policies might be necessary after applying a security template. Before performing these steps on a domain controller, create a backup of the SYSVOL share. Note When you use the following procedure, your computer is returned to the original installation state where the Local Security Policy is not defined. You may have to start your computer in Safe mode to rename or move files. For additional information about how to do this, see Windows 2000 Help. 1. Open the %SystemRoot%Security folder, create a new folder, and then name it "OldSecurity". 2. Move all of the files ending in .log from the %SystemRoot%Security folder to the OldSecurity folder. 3. Find the Secedit.sdb file in the %SystemRoot%SecurityDatabase folder, and then rename this file to "Secedit.old". 4. Click Start, click Run, type mmc, and then click OK. 5. Click Console, click Add/Remove Snap-in, and then add the Security and Configuration snap-in. 6. Right-click Security and Configuration and Analysis, and then click Open Database. 7. Browse to the %SystemRoot%SecurityDatabase folder, type Secedit.sdb in the File name box, and then click Open. 8. When you are prompted to import a template, click Setup Security.inf, and then click Open. Note If you receive an "Access denied" message, you can safely ignore it. Reboot: Good Luck
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: