Cannot access security settings in Win 2003

I want to manipulate some of the security settings in Win2003 server (eval
version) (domain security policty, digital signatures, etc). I am logged on
with an account that has admin, domain admin, enterprise admin, group
policy, etc. etc priveleges but these options are not avaible - they are
greyed out and disabled and when trying to access domain security policy I
get an error messages 'access denied.." I had been logging on through remote
desktop and thought that perhaps that was the reason but then I logged on
directly to the physical console with same results. The server is Domain
Controller and also DNS and DHCP server.

What is wrong? How do I access these settings??

--

Feel free to contact me with any questions or concerns.
________________________________________

MN @ Hzn
212-480-7000 x17

If you upgraded a Win2k DC to Win 2003, these Admin tools still appear in
your list, but they will not function. You will have to use AD Users and
Computers to access these policies. See:

http://support.microsoft.com/default...b;en-us;828291

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"Mikey_N" <(E-Mail Removed)> wrote in message
news:OAw2lz%(E-Mail Removed)...
> I want to manipulate some of the security settings in Win2003 server
(eval
> version) (domain security policty, digital signatures, etc). I am logged
on
> with an account that has admin, domain admin, enterprise admin, group
> policy, etc. etc priveleges but these options are not avaible - they are
> greyed out and disabled and when trying to access domain security policy I
> get an error messages 'access denied.." I had been logging on through
remote
> desktop and thought that perhaps that was the reason but then I logged on
> directly to the physical console with same results. The server is Domain
> Controller and also DNS and DHCP server.
>
> What is wrong? How do I access these settings??
>
> --
>
> Feel free to contact me with any questions or concerns.
> ________________________________________
>
> MN @ Hzn
> 212-480-7000 x17
>
>

Can you access Domain Controller Security Policy? Check Event Viewer for any
pertinent errors and check your permissions to the default domain GPO in AD
Users and Computers by finding the domain, right click to bring up
properties/Group Policy/properties -security to make sure domain admins have
at least read/write permissions. While there try to use edit to manage
Domain Security Policy which is a subset of the default domain GPO/computer
configuration/Windows settings/security settings. Also try rebooting the
computer if none of that helps. --- Steve


"Mikey_N" <(E-Mail Removed)> wrote in message
news:OAw2lz%(E-Mail Removed)...
>I want to manipulate some of the security settings in Win2003 server (eval
> version) (domain security policty, digital signatures, etc). I am logged
> on
> with an account that has admin, domain admin, enterprise admin, group
> policy, etc. etc priveleges but these options are not avaible - they are
> greyed out and disabled and when trying to access domain security policy I
> get an error messages 'access denied.." I had been logging on through
> remote
> desktop and thought that perhaps that was the reason but then I logged on
> directly to the physical console with same results. The server is Domain
> Controller and also DNS and DHCP server.
>
> What is wrong? How do I access these settings??
>
> --
>
> Feel free to contact me with any questions or concerns.
> ________________________________________
>
> MN @ Hzn
> 212-480-7000 x17
>
>

Cannot get into Domain Controller Security Policy,

> Users and Computers by finding the domain, right click to bring up
> properties/Group Policy/properties -security to make sure domain admins
have
> at least read/write permissions.

Cannot get in there either. Have rebooted numerous times. There is something
amiss here - it also takes a very very long time for the Domain users snap
in to come up - like about five minutes. Don't find anything in the event
log - I cleared it now and will watch for something now.

whatever, thanks. I think I'll probably go back to Win2k server - this isn't
worth the time meanwhile, it can wait until MS gets it straight.



"
"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:%23%23Y92d$(E-Mail Removed)...
> Can you access Domain Controller Security Policy? Check Event Viewer for
any
> pertinent errors and check your permissions to the default domain GPO in
AD
> Users and Computers by finding the domain, right click to bring up
> properties/Group Policy/properties -security to make sure domain admins
have
> at least read/write permissions. While there try to use edit to manage
> Domain Security Policy which is a subset of the default domain
GPO/computer
> configuration/Windows settings/security settings. Also try rebooting the
> computer if none of that helps. --- Steve
>
>
> "Mikey_N" <(E-Mail Removed)> wrote in message
> news:OAw2lz%(E-Mail Removed)...
> >I want to manipulate some of the security settings in Win2003 server
(eval
> > version) (domain security policty, digital signatures, etc). I am logged
> > on
> > with an account that has admin, domain admin, enterprise admin, group
> > policy, etc. etc priveleges but these options are not avaible - they are
> > greyed out and disabled and when trying to access domain security policy
I
> > get an error messages 'access denied.." I had been logging on through
> > remote
> > desktop and thought that perhaps that was the reason but then I logged
on
> > directly to the physical console with same results. The server is Domain
> > Controller and also DNS and DHCP server.
> >
> > What is wrong? How do I access these settings??
> >
> > --
> >
> > Feel free to contact me with any questions or concerns.
> > ________________________________________
> >
> > MN @ Hzn
> > 212-480-7000 x17
> >
> >
>
>

This was not an upgrade. New machine, first OS installation.

"Doug Sherman [MVP]" <(E-Mail Removed)> wrote in message
news:%23BU4jR$(E-Mail Removed)...
> If you upgraded a Win2k DC to Win 2003, these Admin tools still appear in
> your list, but they will not function. You will have to use AD Users and
> Computers to access these policies. See:
>
> http://support.microsoft.com/default...b;en-us;828291
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
> "Mikey_N" <(E-Mail Removed)> wrote in message
> news:OAw2lz%(E-Mail Removed)...
> > I want to manipulate some of the security settings in Win2003 server
> (eval
> > version) (domain security policty, digital signatures, etc). I am logged
> on
> > with an account that has admin, domain admin, enterprise admin, group
> > policy, etc. etc priveleges but these options are not avaible - they are
> > greyed out and disabled and when trying to access domain security policy
I
> > get an error messages 'access denied.." I had been logging on through
> remote
> > desktop and thought that perhaps that was the reason but then I logged
on
> > directly to the physical console with same results. The server is Domain
> > Controller and also DNS and DHCP server.
> >
> > What is wrong? How do I access these settings??
> >
> > --
> >
> > Feel free to contact me with any questions or concerns.
> > ________________________________________
> >
> > MN @ Hzn
> > 212-480-7000 x17
> >
> >
>
>

What I mean by 'get it straight' is that from my experiences, and from what
I have seen in the newsgroups, they made some bad choices when it came to
the default settings they use for Win2003 server and they need to fix that.
Of course it is nothing new to find poor judgement in the default settings
of MS products!



"Mikey_N" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Cannot get into Domain Controller Security Policy,
>
> > Users and Computers by finding the domain, right click to bring up
> > properties/Group Policy/properties -security to make sure domain admins
> have
> > at least read/write permissions.
>
> Cannot get in there either. Have rebooted numerous times. There is
something
> amiss here - it also takes a very very long time for the Domain users snap
> in to come up - like about five minutes. Don't find anything in the event
> log - I cleared it now and will watch for something now.
>
> whatever, thanks. I think I'll probably go back to Win2k server - this
isn't
> worth the time meanwhile, it can wait until MS gets it straight.
>
>
>
> "
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:%23%23Y92d$(E-Mail Removed)...
> > Can you access Domain Controller Security Policy? Check Event Viewer for
> any
> > pertinent errors and check your permissions to the default domain GPO in
> AD
> > Users and Computers by finding the domain, right click to bring up
> > properties/Group Policy/properties -security to make sure domain admins
> have
> > at least read/write permissions. While there try to use edit to manage
> > Domain Security Policy which is a subset of the default domain
> GPO/computer
> > configuration/Windows settings/security settings. Also try rebooting the
> > computer if none of that helps. --- Steve
> >
> >
> > "Mikey_N" <(E-Mail Removed)> wrote in message
> > news:OAw2lz%(E-Mail Removed)...
> > >I want to manipulate some of the security settings in Win2003 server
> (eval
> > > version) (domain security policty, digital signatures, etc). I am
logged
> > > on
> > > with an account that has admin, domain admin, enterprise admin, group
> > > policy, etc. etc priveleges but these options are not avaible - they
are
> > > greyed out and disabled and when trying to access domain security
policy
> I
> > > get an error messages 'access denied.." I had been logging on through
> > > remote
> > > desktop and thought that perhaps that was the reason but then I logged
> on
> > > directly to the physical console with same results. The server is
Domain
> > > Controller and also DNS and DHCP server.
> > >
> > > What is wrong? How do I access these settings??
> > >
> > > --
> > >
> > > Feel free to contact me with any questions or concerns.
> > > ________________________________________
> > >
> > > MN @ Hzn
> > > 212-480-7000 x17
> > >
> > >
> >
> >
>
>

I have not experienced any problems with Windows 2003. The change in default
settings was done to increase security substantially though it should not
cause the problems you are experiencing. If you can open AD Users and
Computers select view to check that advanced settings are shown. The go to
the system folder and find the policies subfolder. There are some long
numbers there that are your GPO's and there should be at least two. Check
the properties to make sure domain admins have read, write, create child,
delete child to all of them.

Verify that the domain controller is pointing to itself as it's only
preferred dns server and check dns for the existence of the domain zone and
the _srv records for the domain. Run the support tools netdiag and dcdiag on
the domain controller to see if any problems are found. They are on the
install disk in the support/tools folder where you have to run the setup
there. Verify the existence of the sysvol share. You should be able to see
it and access it in Network Places. Go to \windows\sysvol to make sure
administrators have full control permissions to that folder and the
subfolders and also full control permissions to the sysvol share. There
should not be any deny permissions in those folders. The other thing I would
check is that domain admins is a member of the administrators group. Another
possibility is that you have locked down the server with Group Policy and it
is applying to administrators also. --- Steve


"Mikey_N" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What I mean by 'get it straight' is that from my experiences, and from
> what
> I have seen in the newsgroups, they made some bad choices when it came to
> the default settings they use for Win2003 server and they need to fix
> that.
> Of course it is nothing new to find poor judgement in the default settings
> of MS products!
>
>
>
> "Mikey_N" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Cannot get into Domain Controller Security Policy,
>>
>> > Users and Computers by finding the domain, right click to bring up
>> > properties/Group Policy/properties -security to make sure domain admins
>> have
>> > at least read/write permissions.
>>
>> Cannot get in there either. Have rebooted numerous times. There is
> something
>> amiss here - it also takes a very very long time for the Domain users
>> snap
>> in to come up - like about five minutes. Don't find anything in the event
>> log - I cleared it now and will watch for something now.
>>
>> whatever, thanks. I think I'll probably go back to Win2k server - this
> isn't
>> worth the time meanwhile, it can wait until MS gets it straight.
>>
>>
>>
>> "
>> "Steven L Umbach" <(E-Mail Removed)> wrote in message
>> news:%23%23Y92d$(E-Mail Removed)...
>> > Can you access Domain Controller Security Policy? Check Event Viewer
>> > for
>> any
>> > pertinent errors and check your permissions to the default domain GPO
>> > in
>> AD
>> > Users and Computers by finding the domain, right click to bring up
>> > properties/Group Policy/properties -security to make sure domain admins
>> have
>> > at least read/write permissions. While there try to use edit to manage
>> > Domain Security Policy which is a subset of the default domain
>> GPO/computer
>> > configuration/Windows settings/security settings. Also try rebooting
>> > the
>> > computer if none of that helps. --- Steve
>> >
>> >
>> > "Mikey_N" <(E-Mail Removed)> wrote in message
>> > news:OAw2lz%(E-Mail Removed)...
>> > >I want to manipulate some of the security settings in Win2003 server
>> (eval
>> > > version) (domain security policty, digital signatures, etc). I am
> logged
>> > > on
>> > > with an account that has admin, domain admin, enterprise admin, group
>> > > policy, etc. etc priveleges but these options are not avaible - they
> are
>> > > greyed out and disabled and when trying to access domain security
> policy
>> I
>> > > get an error messages 'access denied.." I had been logging on through
>> > > remote
>> > > desktop and thought that perhaps that was the reason but then I
>> > > logged
>> on
>> > > directly to the physical console with same results. The server is
> Domain
>> > > Controller and also DNS and DHCP server.
>> > >
>> > > What is wrong? How do I access these settings??
>> > >
>> > > --
>> > >
>> > > Feel free to contact me with any questions or concerns.
>> > > ________________________________________
>> > >
>> > > MN @ Hzn
>> > > 212-480-7000 x17
>> > >
>> > >
>> >
>> >
>>
>>
>
>

Thanks for all your help. Maybe I shouldn't blame MS - I am a developer by
trade not a network professional so I don't have extensive knowledge, just
what I have picked up over the years from working and developing on MS
network platforms. It seems something is seriously amiss with the config of
the machine, I found stacks of messages like the following (below at end of
this message) in the applications event log, appearing at 5 minute
intervals.In addition there is extremely long delay when accessing files on
the DC from workstations - like 5 minutes to browse one small text file.
That is why I wanted to change the security settings - others have reported
similar problems and were advised to turn off digital signatures on the
server security policies. I was also experiencing extremely long log on
times (applyling computer settings.... for about two minutes or more) but I
fixed that by configuring the workstations to point explicitely to the DC as
the DNS server instead of automatic detection. But the file access problems
remain.


__________________________________________________ __________________


Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


__________________________________________________ ______________________

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MikeyNach
,DC=Net. The file must be present at the location
<\\MikeyNach.Net\sysvol\MikeyNach.Net\Policies\{31 B2F340-016D-11D2-945F-00C0
4FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy
processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Thanks for all your help. Maybe I shouldn't blame MS - I am a developer by
trade not a network professional so I don't have extensive knowledge, just
what I have picked up over the years from working and developing on MS
network platforms. It seems something is seriously amiss with the config of
the machine, I found stacks of messages like the following (below at end of
this message) in the applications event log, appearing at 5 minute
intervals.In addition there is extremely long delay when accessing files on
the DC from workstations - like 5 minutes to browse one small text file.
That is why I wanted to change the security settings - others have reported
similar problems and were advised to turn off digital signatures on the
server security policies. I was also experiencing extremely long log on
times (applyling computer settings.... for about two minutes or more) but I
fixed that by configuring the workstations to point explicitely to the DC as
the DNS server instead of automatic detection. But the file access problems
remain.


__________________________________________________ __________________


Windows cannot query for the list of Group Policy objects. Check the event
log for possible messages previously logged by the policy engine that
describes the reason for this.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


__________________________________________________ ______________________

Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MikeyNach
,DC=Net. The file must be present at the location
<\\MikeyNach.Net\sysvol\MikeyNach.Net\Policies\{31 B2F340-016D-11D2-945F-00C0
4FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy
processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Well when frustrated we all tend to blame the source of the frustration, I
can certainly understand that.

Did you have a change to use the netdiag and dcdiag tools as I suggested.
That could be very helpful in determining the general health of the domain
and domain controller as would verifying the existence of the sysvol share
[very important] and it's permissions. When you go to Network Neighborhood
while logged onto the domain controller you should see the sysvol share and
then be able to drill down to the file referenced as in sysvol\domain
name\policies\31B2...\gpt.ini to see if you can access it. From the
description of your problem it seems as if the sysvol share does not exist,
permissions are too restrictive, or the default domain policy has been
deleted. If the sysvol share does not exist, see the link below on how to
recreate it with a registry modification. If the sysvol share exists but
31B2F340-016D-11D2-945F-00C04FB984F9 does not exist then the default domain
policy is not linked to the domain or it has been deleted. You can use AD
Users and Computers, select the domain - right click/properties/Group Policy
to see if the default domain GPO is there. If it is not, select "add" to see
if you can find it and then link it to the domain container. If it can not
be found you use the command dcgpofix.exe on the domain controller to
restore it. --- Steve

http://www.jsiinc.com/SUBG/tip3300/rh3304.htm -- recreate sysvol share.

"Mikey_N" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks for all your help. Maybe I shouldn't blame MS - I am a developer by
> trade not a network professional so I don't have extensive knowledge, just
> what I have picked up over the years from working and developing on MS
> network platforms. It seems something is seriously amiss with the config
> of
> the machine, I found stacks of messages like the following (below at end
> of
> this message) in the applications event log, appearing at 5 minute
> intervals.In addition there is extremely long delay when accessing files
> on
> the DC from workstations - like 5 minutes to browse one small text file.
> That is why I wanted to change the security settings - others have
> reported
> similar problems and were advised to turn off digital signatures on the
> server security policies. I was also experiencing extremely long log on
> times (applyling computer settings.... for about two minutes or more) but
> I
> fixed that by configuring the workstations to point explicitely to the DC
> as
> the DNS server instead of automatic detection. But the file access
> problems
> remain.
>
>
> __________________________________________________ __________________
>
>
> Windows cannot query for the list of Group Policy objects. Check the event
> log for possible messages previously logged by the policy engine that
> describes the reason for this.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> __________________________________________________ ______________________
>
> Windows cannot access the file gpt.ini for GPO
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MikeyNach
> ,DC=Net. The file must be present at the location
> <\\MikeyNach.Net\sysvol\MikeyNach.Net\Policies\{31 B2F340-016D-11D2-945F-00C0
> 4FB984F9}\gpt.ini>. (The network path was not found. ). Group Policy
> processing aborted.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>
>