Can't edit default domain controllers policy on windows 8 or server 2012
I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine. I can edit and save changes fine from a Windows 7 machine. The domain controllers are running Windows 2012 Standard upgraded
from Windows 2008 R2. Is there a security setting I am missing?
Posting the resolution from the other thread. Hope it helps!
I just accidentally resolved this issue today. I added the GPMC to a 2008 R2 server so I could make a needed firewall
change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile). About an hour later, I forgot I was using my Windows 8 machine and I went
to edit the Default Domain Controllers GPO and opened for edit without a problem. I can now edit it from Windows 8 and from Windows Server 2012. Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
editing the GPO once from a 2008 R2 machine.
Similar Messages
-
Unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine
I am unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine. The error message i recieve is:
"Failed to open the group policy object. You might not have the appropriate rights. Details: The volume for a file has been externally altered so that the open file is no longer valid."
The domain controllers are running Windows 2012 R2 upgraded from Windows 2008 R2, the domain functional level is Server 2012.
I am able to edit the policy from both a Windows 7 and Server 2008 R2 machine.
The following post is identical however the fix for them does not work for me:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012
Any ideas?MuhammadUmar
Yes, the Unique ID is available on 2012 server
Lany Zhang
This only affects the default domain controllers policy object
Another user added to amins and tested has no effect
It is the same on another server
DCDiag passes all tests
Thanks for all your help so far -
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Restore Default Domain Controllers Policy in its original state
Hello,
Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
go.Hi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support -
Reboot domain controller changes audit policy on Default Domain Controller Policy
This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
Thanks and regards.Hi,
>>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was applied after rebooting? Besides, we can also try to run command
auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Hello,
In my new company, I noticed that the default domain controllers policy has been (largely) modified.
I thought it was a best practice to keep it clean (In case of restore).
So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
Is the GPO Link order enough ?
Thank youHi,
Just a confirmation, did you mean that want to overwrite some settings in the
Default Domain Controllers Policy?
Within each domain, site, and OU, the
Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
unit, then control thier order of them via Link Order.
If anything I misunderstand or any update, please feel free to let us know.
Hope this helps.
Best regards,
Justin Gu -
Default Domain Controller Policy
Hello All,
We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
But would like your advice about any new features which we can applied in our Default Domain Controller
policy.
Thanks.
Thanks HAHi,
>>But would like your advice about any new features which we can applied in our Default Domain
Controller policy.
Regarding this point, the following articles can be referred to as reference.
Chapter 4: Strengthening Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
Applying Selected Domain and Domain Controller Policy Settings
https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Default domain controller policy audit
If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
If I enable auditing in default domain controller policy, I see event only from all domain controller or
see event from all workstation in domain
---NO you wont see workstations, only if editing the default domain policy, as described prior best practice would be to create a new GPO with a great name that you
wont mix up such as "workstation audit GPO" and link to the site, domain or OU you require.
Its not great practise IMO adding loads of stuff to default domain policy when you want to troubleshoot best to segregate GPOS with great easy to
interpret names for brevity -
How can i edit default XML in Poratl?
How can i edit default XML in Poratl?
I want make some change on Discussion.xml,but i can't find it and i want Edit it, what should i do?
Thank you very much for your Help!
Best Regards!
Hanall the .XML files will be available in the following path
project(folder)->dist(folder)->portal-inf(folder)
in NetWeaver developer studio.
to edit double click on the xml file and select the source tab in the bottom,you can view and edit the source. -
Unable to edit Default Domain policy on Server 2012 R2 domain controller
Hello,
I recently built a Server 2012 R2 domain controller and added it to my domain. When trying to edit the default domain policy I get the following error:
I can make edits to other GPO objects. All the other domain controllers are Server 2008 and are able to edit that GPO. The issue is on the Server 2012 box only. I've checked the delegated permissions, I'm a domain admin, and have opened
GPMC as administrator. Does anyone know what I'm missing? Thank you for your time.
TinoHi Tino,
>>Could that be the problem?
I don't think so, for we can still use FRS to replicate Sysvol. However, it is recommended that we use DFSR to replicate Sysvol if our domain
function level is Windows Server 2008 or above.
Besides, we can follow the suggestions from the following thread to check out which replication mechanism we are using.
DFS-R on 2008 R2 by default?
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8f2042d3-193d-4414-b9da-cbcedc6a4c32/dfsr-on-2008-r2-by-default?forum=winserverDS
If the Sysvol is replicated by FRS mechanism, as I suggested in the last reply, we can do a non-authoritative restore for the Sysvol on the new Windows
Server 2012. This will restore the Sysvol from a healthy DC.
To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
1. Click Start, and then click Run.
2. In the Open box, type cmd and then press ENTER.
3. In the Command box, type net stop ntfrs.
4. Click Start, and then click Run.
5. In the Open box, type regedit and then press ENTER.
6. Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
7. In the right pane, double-click BurFlags.
8. In the Edit DWORD Value dialog box, type D2 and then click OK.
9. Quit Registry Editor, and then switch to the Command box.
10. In the Command box, type net start ntfrs.
11. Quit the Command box.
TechNet Subscriber Support
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Hope it helps.
Best regards,
Frank Shen -
Our environment has both 2008R2 and 2012R2 Domain Controllers. Recently one of our Domain Admins started having problems logging onto all servers by remote desktop except for domain controllers. The error message is as follows:
"To log on to this remote computer, you must be granted the Allow log on through Terminal
Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote
Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually"
All the other Domain Admin Accounts do not have this problem. Suggested solutions recommend checking local policies on the individual servers however I feel that is not
right. Also there many servers hence doing that in each member server would be cumbersome. There must be solution that requires a single action for all servers and also does not involve creating a new account. The account was recently used to implement
a Windows 2012R2 WSUS server and besides the DC's, it is the only other server the account can remote into. This is strange. Help please.Hi,
Does that user has permission for remoting before?
To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are:
1) Remote Logon: rights to machine
2) Logon: privileges for access to the RDP-TCP Listener
The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
Also check RDP-TCP listener properties. More information.
“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
How can i edit the domain name ?
Hello,
I tried to register my first website through business catalyst.The domain name i took was www.wildixel.com . But, when i am trying to open the website it open other website with the same name. I guess it was already taken. Now i want to edit the domain name. Please let me know how can i.
ThanksHi there,
Could you please explain more what you are trying to do and have done?
You can not purchase a domain name through Business Catalyst so you would have not obtained a domain you listed there. You have to by it from a domain registra.
If you have just entered a domain into the domain manager of your website but have not purchased the domain, this will not work. You have to obtain the domain first.
If you have got your domain, have you gone into the domain settings of BC and added the domain in? Have you gone to the domain registra and changed either the A-record or the NS records to point to your BC site? -
Can't copy and paste files using RDP session in server 2012
I'm running windows 8, but I have also verified on a windows 7 machine as well. We have server 2012 installed on a machine
I use remote desktop to get into. I cannot copy files from my local pc and use paste to get them to the server. I could do this with server 2008. Is there some setting I have to change or does this not work with server 2012?
FYI, clipboard is checked when I open my remote desktop connection window. If I connect into a win server 2008 r2 machine from the same local machine, I can copy and paste files
just fine.
- MichaelHi,
I believe RDS clipboard redirection should be enabled by default also on Windows Server 2012. Is there perhaps is a Group Policy Object active that is configured to disable Clip Board Redirection? Either on the computer or the user OU. If not:
You did not explicitly state this, but I'm assuming that you are running in Application Mode (meaning you did not install the RD Session Host role) ? If so please check the registry on the Windows Server 2012 destination server and look for:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fDisableClip
this should be set to
0, to make allow Clipboard Redirection
Also check the key below:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Addins\Clip Redirector
This should have:
Name
REG_SZRDPClip
Type
REG_DWORD0x00000003
If you did run the RD Session Host role, and you have done so using a Scenario Based Deployment (Scenario
Based Deployment of RDS in Windows Server 2012 ) you will have a Remote Desktop Management Service GUI available as pat of the Server Manager with which you can enable or disable ClipBoard Redirection from within a GUI on a Session Collection level
or you can use PowerShell
Using Powershell to install, configure and maintain RDS in Windows Server 2012
Kind regards,
Freek Berson
The Microsoft Platform
Twitter
Linked-in
Wortell company website -
How can I know if my CAL license is valid for server 2012
Hi everyone,
I have a domain where all the server are Windows Server 2008R2, Due to certain progams that are about to enter the organization I have to deploy several new servers that will run server 2012R2 and possibly upgrade a few existing ones to 2012R2 as well.
That is however not the problem.
I recently found out the remote desktop servers that run the RD licensing role, Don't serve windows server 2012, but if I deploy a new RDS with server 2012 R2 it can serve both my old 2008 R2 servers and my new 2012 R2 servers. First I'd like to know if
it's correct and if any of you have tried that in the past. Furtner, I need to know if the CAL license that's installed on my 2008 R2 server is valid for 2012R2 servers as well, is there a way to find that out?
Hoping for a quick response.Hi David,
You are correct, a 2012 R2 server can license your 2008 R2 servers, but your 2008 R2 CALs will not work to license connections to 2012 R2. A good wiki here...
http://social.technet.microsoft.com/wiki/contents/articles/14988.rds-and-ts-cal-interoperability-matrix.aspx
Hope this helps! -
Trex can't be updated to higher levels on windows 2003 server 64 bit
Hi gurus,
We have a portal system (EP 7.0 SP18) and a Trex 7.0 server which are
working on windows 2003 server 64 bit on the same server.
After upgrading our portal system from sp15 to sp18, we can not see
indexes on Index Administration screen. When we tried to create the
indexes from the beginning, we faced the message "An index with the samename already exists."
We thought that the level of the Trex server(25) is low which may cause
this problem and decided to update the Trex server to level 46. We
downloaded "TREX70_46-20001842.SAR TREX 7.0 REV 46" from
service.sap.com and tried to update Trex server according to
NW70_SPSTACK_GUIDE_SPS18.pdf.During the installation a warning
message "You started an installation of sofware for platform
i386, but SAPinst is running on platform AMD64" was given. When we
continued the installation, an error message
was shown in a message box."Running msiexec.exe failed with return code
1603:Fatal error during installation. Commandline was
msiexec.exe/norestart/L sapmmcx86u.log/i sapmmcx86u.msi/qn" I searched
the sapmmcx86u.log and the error message says that this installation
package is not for windows
2003 server 64 bit.
"This installation does not support 64 Bit Windows Operating systems.
Please use the corresponding 64 Bit installation package.
Action ended 8:26:08: LaunchConditions. Return value 3.
Action ended 8:26:08: INSTALL. Return value 3.
MSI (s) (10:84) [08:26:08:578]: Product: SAP MMC SnapIn -- Installation
failed."
We searched in OSS notes and found the note "Note 1021003 - TREX 7.00 -
Update Windows 2003 64-Bit installed from DVD"
.We did the things in the note but unfortunately nothing changed.
We tried the install revision 45,44 etc but we got the same warning and
error messages.
Any suggestions?
Edited by: Tolga Akinci on Apr 30, 2009 3:08 PMHi Tolga,
You face with this error, because of Trex installation package is trying to install native i386 redistributables (vcredist_x86.msi) during the process. In order to patch Trex system on x64 architecture, follow the instructions, below;
1) Start sapinst, under your <TREX_PATCH> path
2) Ignore AMD64 warning popup
3) When popup appears on the "1603:Fatal error during installation." error, change temp folders on both environment variables, on my computer
4) Download and execute "vcredist_x64.exe" then run installer
5) After respective installation click on "Retry" button on error popup
At the end of this operation, your Trex patch will be succeeded. Please do not forget to undo your temp directory settings, on your Trex host. I hope that it is clarify your question.
Best regards,
Orkun Gedik
Senior SAP Development And Basis Consultant
Maybe you are looking for
-
What's the difference between setFollowRedirect() and setinstanceFollowRedi
What's the difference between setFollowRedirect() and setInstanceFollowRedirect() ?????
-
I don't know if it is related, but I'm having exactly the same difficulty with quick tunes.
-
Connection refused with java, but not javaw
I have a ServerSocket based program...listening on a port. It is really a very simple program. And I can run it with javaw. Then I can use another problem, for example, telnet to connect to that port, just to prove I can connect to that port. Everyth
-
How to get project guid to task
Hello all, I am looking for a method which delivers me the project guid or object for a certain task I selected. Table names would do the trick as well. Thanks in advance. Jochen
-
Just returned from the store with my new nano. BUT when I tried to transfer my files the nano froze after about 6 to 8 files and been transferred, and I could not reset anything except by pulling the plug. I even tried doing one track at a time and i