Can't edit default domain controllers policy on windows 8 or server 2012

I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine.  I can edit and save changes fine from a Windows 7 machine.  The domain controllers are running Windows 2012 Standard upgraded
from Windows 2008 R2.  Is there a security setting I am missing?

Posting the resolution from the other thread.  Hope it helps!
I just accidentally resolved this issue today.  I added the GPMC to a 2008 R2 server so I could make a needed firewall
change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile).  About an hour later, I forgot I was using my Windows 8 machine and I went
to edit the Default Domain Controllers GPO and opened for edit without a problem.  I can now edit it from Windows 8 and from Windows Server 2012.  Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
editing the GPO once from a 2008 R2 machine.

Similar Messages

  • Unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine

    I am unable to edit the "Default Domain Controllers Policy" from a Server 2012 machine. The error message i recieve is:
    "Failed to open the group policy object.  You might not have the appropriate rights.  Details: The volume for a file has been externally altered so that the open file is no longer valid."
    The domain controllers are running Windows 2012 R2 upgraded from Windows 2008 R2, the domain functional level is Server 2012.
    I am able to edit the policy from both a Windows 7 and Server 2008 R2 machine.
    The following post is identical however the fix for them does not work for me:
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012
    Any ideas?

    MuhammadUmar
    Yes, the Unique ID is available on 2012 server
    Lany Zhang
    This only affects the default domain controllers policy object
    Another user added to amins and tested has no effect
    It is the same on another server
    DCDiag passes all tests
    Thanks for all your help so far

  • Windows 2012 R2 default domain controllers policy set to enforced

    Hi Guys,
    So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
    i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
    previously setup by someone else.
    I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
    on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
    it up at this stage.
    One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
    Any advise you guys have on this would be greatly appreciated.
    David

    > So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
    > and so far everything is running ok.
    This does NOT touch any GPOs, so your GPOs are not "migrated" or
    something like that - they are still what they were before.
    > enforced on my newly migrated domain. At home on my test server i see it
    > is not enforced by default and am wondering why this is?
    "A sever misunderstanding of how group policy inheritance and link order
    works" is the closest reason I see for this. The DDCP is linked to
    "Domain Controllers", and as long as you do not create subordinate OUs
    there (which I've never seen) and block inheritance on them, there's no
    reason to enforce.
    To add my experience from the field: When I see enforced GPOs, in most
    cases this enforcement is not required. People simply use it because
    they do not understand "link order".
    > One thing that i did find odd is when i first opened up the GPO's, i was
    > prompted with a message which stated that the policies in the sysvol
    > folder where not consistent with the ones in AD so i followed its
    > recommendation to update.
    That's fairly ok and nothing to hassle about.
    Martin
    Mal ein
    GUTES Buch über GPOs lesen?
    NO THEY ARE NOT EVIL, if you know what you are doing:
    Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

  • Restore Default Domain Controllers Policy in its original state

    Hello,
    Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
    Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
    I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
    What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
    go.

    Hi,
    Any update?
    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
    Best Regards,
    Andy Qi
    TechNet Subscriber Support
    If you are
    TechNet Subscription user and have any feedback on our support quality, please send your feedback
    here.
    Andy Qi
    TechNet Community Support

  • Reboot domain controller changes audit policy on Default Domain Controller Policy

    This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
    I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
    Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
    I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
    All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
    Thanks and regards.

    Hi,
    >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
    Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command
    auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
    Best regards,
    Frank Shen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Default domain Group Policy

    Hello,
    In my new company, I noticed that the default domain controllers policy has been (largely) modified.
    I thought it was a best practice to keep it clean (In case of restore).
    So I would like to create a new GPOs for my DCs to move some of those settings out of the default domain policy.
    For example, "Add workstations to domain". If I want to create a new policy for this particular setting, what kind of rules am I supposed to follow to make sure that my new setting will be applied before the default DC policy ?
    Is the GPO Link order enough ?
    Thank you

    Hi,
    Just a confirmation, did you mean that want to overwrite some settings in the
    Default Domain Controllers Policy?
    Within each domain, site, and OU, the
    Link Order controls the order in which GPOs are applied. If several GPOs are linked to an organizational unit, their processing is in the order that is specified by the administrator, on the
    Linked Group Policy Objects tab for the organizational unit in GPMC. The GPO with the lowest
    Link Order is processed last, and therefore has the highest precedence. Since Default Domain Controllers Policy is linked to the Domain Controllers organizational unit, you can create a new GPO and link it to this Domain Controllers organizational
    unit, then control thier order of them via Link Order.
    If anything I misunderstand or any update, please feel free to let us know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Default Domain Controller Policy

    Hello All,
    We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
    We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
    But would like your advice about any new features which we can applied in our Default Domain Controller
    policy.
    Thanks.
    Thanks HA

    Hi,
    >>But would like your advice about any new features which we can applied in our Default Domain
    Controller policy.
    Regarding this point, the following articles can be referred to as reference.
    Chapter 4: Strengthening Domain and Domain Controller Policy Settings
    https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
    Applying Selected Domain and Domain Controller Policy Settings
    https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
    Best regards,
    Frank Shen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Default domain controller policy audit

    If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?

    If I enable auditing in default domain controller policy, I see event only from all domain controller or see event from all workstation in domain, or I should create new audit GPO and then linked it to workstation UO?
    If I enable auditing in default domain controller policy, I see event only from all domain controller or
    see event from all workstation in domain
    ---NO you wont see workstations, only if editing the default domain policy, as described prior best practice would be to create a new GPO with a great name that you
    wont mix up such as "workstation audit GPO" and link to the site, domain or OU you require.
    Its not great practise IMO adding loads of stuff to default domain policy when you want to troubleshoot best to segregate GPOS with great easy to
    interpret names for brevity 

  • How can i edit default XML in Poratl?

    How can i edit default XML in Poratl?
    I want make some change on Discussion.xml,but i can't find it and  i  want Edit it, what should i do?
    Thank you very much for your Help!
    Best Regards!
    Han

    all the .XML files will be available in the following path
    project(folder)->dist(folder)->portal-inf(folder)
    in NetWeaver developer studio.
    to edit double click on the xml file and select the source tab in the bottom,you can view and edit the source.

  • Unable to edit Default Domain policy on Server 2012 R2 domain controller

    Hello,
    I recently built a Server 2012 R2 domain controller and added it to my domain.  When trying to edit the default domain policy I get the following error:
    I can make edits to other GPO objects.  All the other domain controllers are Server 2008 and are able to edit that GPO.  The issue is on the Server 2012 box only.  I've checked the delegated permissions, I'm a domain admin, and have opened
    GPMC as administrator.  Does anyone know what I'm missing?  Thank you for your time.
    Tino

    Hi Tino,
    >>Could that be the problem?
    I don't think so, for we can still use FRS to replicate Sysvol. However, it is recommended that we use DFSR to replicate Sysvol if our domain
    function level is Windows Server 2008 or above.
    Besides, we can follow the suggestions from the following thread to check out which replication mechanism we are using.
    DFS-R on 2008 R2 by default?
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/8f2042d3-193d-4414-b9da-cbcedc6a4c32/dfsr-on-2008-r2-by-default?forum=winserverDS
    If the Sysvol is replicated by FRS mechanism, as I suggested in the last reply, we can do a non-authoritative restore for the Sysvol on the new Windows
    Server 2012. This will restore the Sysvol from a healthy DC.
    To perform a nonauthoritative restore, stop the FRS service, configure the BurFlags registry key, and then restart the FRS service. To do so:
    1. Click Start, and then click Run.
    2. In the Open box, type cmd and then press ENTER.
    3. In the Command box, type net stop ntfrs.
    4. Click Start, and then click Run.
    5. In the Open box, type regedit and then press ENTER.
    6. Locate the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
    7. In the right pane, double-click BurFlags.
    8. In the Edit DWORD Value dialog box, type D2 and then click OK.
    9. Quit Registry Editor, and then switch to the Command box.
    10. In the Command box, type net start ntfrs.
    11. Quit the Command box.
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
    Hope it helps.
    Best regards,
    Frank Shen

  • Domain Admin Account cannot logon to member servers by remote. It can only logon to Domain Controllers

    Our environment has both 2008R2 and 2012R2 Domain Controllers. Recently one of our Domain Admins started having problems logging onto all servers by remote desktop except for domain controllers. The error message is as follows:
    "To log on to this remote computer, you must be granted the Allow log on through Terminal
    Services right. By default, members of the Remote Desktop Users group have this right. If you are not a member of the Remote
    Desktop Users group or another group that has this right, or if the Remote Desktop Users group does not have this right, you must be granted this right manually"
    All the other Domain Admin Accounts do not have this problem. Suggested solutions recommend checking local policies on the individual servers however I feel that is not
    right. Also there many servers hence doing that in each member server would be cumbersome. There must be solution that requires a single action for all servers and also does not  involve creating a new account. The account was recently used to implement
    a Windows 2012R2 WSUS server and besides the DC's, it is the only other server the account can remote into. This is strange. Help please.

    Hi,
    Does that user has permission for remoting before?
    To start with, there are two types of user rights; Logon rights & Privileges. In simpler terms these are: 
    1) Remote Logon: rights to machine
    2) Logon: privileges for access to the RDP-TCP Listener
    The Remote Logon is governed by the “Allow Logon through Terminal Services” group policy. This is under
    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.
    Also check RDP-TCP listener properties. More information.
    “Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group.
    http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

  • How can i edit the domain name ?

    Hello,
    I tried to register my first website through business catalyst.The domain name i took was www.wildixel.com . But, when i am trying to open the website it open other website with the same name. I guess it was already taken. Now i want to edit the domain name. Please let me know how can i.
    Thanks

    Hi there,
    Could you please explain more what you are trying to do and have done?
    You can not purchase a domain name through Business Catalyst so you would have not obtained a domain you listed there. You have to by it from a domain registra.
    If you have just entered a domain into the domain manager of your website but have not purchased the domain, this will not work. You have to obtain the domain first.
    If you have got your domain, have you gone into the domain settings of BC and added the domain in? Have you gone to the domain registra and changed either the A-record or the NS records to point to your BC site?

  • Can't copy and paste files using RDP session in server 2012

    I'm running windows 8, but I have also verified on a windows 7 machine as well. We have server 2012 installed on a machine
    I use remote desktop to get into. I cannot copy files from my local pc and use paste to get them to the server. I could do this with server 2008. Is there some setting I have to change or does this not work with server 2012?
    FYI, clipboard is checked when I open my remote desktop connection window. If I connect into a win server 2008 r2 machine from the same local machine, I can copy and paste files
    just fine.
    - Michael

    Hi,
    I believe RDS clipboard redirection should be enabled by default also on Windows Server 2012. Is there perhaps is a Group Policy Object active that is configured to disable Clip Board Redirection? Either on the computer or the user OU. If not:
    You did not explicitly state this, but I'm assuming that you are running in Application Mode (meaning you did not install the RD Session Host role) ? If so please check the registry on the Windows Server 2012 destination server and look for:
    HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-Tcp\fDisableClip
    this should be set to
    0, to make allow Clipboard Redirection
    Also check the key below:
    HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Addins\Clip Redirector
    This should have: 
    Name
    REG_SZRDPClip
    Type
    REG_DWORD0x00000003
    If you did run the RD Session Host role, and you have done so using a Scenario Based Deployment (Scenario
    Based Deployment of RDS in Windows Server 2012 ) you will have a Remote Desktop Management Service GUI available as pat of the Server Manager with which you can enable or disable ClipBoard Redirection from within a GUI on a Session Collection level
    or you can use PowerShell
    Using Powershell to install, configure and maintain RDS in Windows Server 2012
    Kind regards,
    Freek Berson
    The Microsoft Platform
    Twitter
    Linked-in
    Wortell company website

  • How can I know if my CAL license is valid for server 2012

    Hi everyone, 
    I have a domain where all the server are  Windows Server 2008R2, Due to certain progams that are about to enter the organization I have to deploy several new servers that will run server 2012R2 and possibly upgrade a few existing ones to 2012R2 as well.
    That is however not the problem.
    I recently found out the remote desktop servers that run the RD licensing role, Don't serve windows server 2012, but if I deploy a new RDS with server 2012 R2 it can serve both my old 2008 R2 servers and my new 2012 R2 servers. First I'd like to know if
    it's correct and if any of you have tried that in the past. Furtner, I need to know if the CAL license that's installed on my 2008 R2 server is valid for 2012R2 servers as well, is there a way to find that out?
    Hoping for a quick response.

    Hi David,
    You are correct, a 2012 R2 server can license your 2008 R2 servers, but your 2008 R2 CALs will not work to license connections to 2012 R2. A good wiki here...
    http://social.technet.microsoft.com/wiki/contents/articles/14988.rds-and-ts-cal-interoperability-matrix.aspx
    Hope this helps!

  • Trex can't be updated to higher levels on windows 2003 server 64 bit

    Hi gurus,
    We have a portal system (EP 7.0 SP18) and a Trex 7.0 server which are
    working on windows 2003 server 64 bit on the same server.
    After upgrading our portal system from sp15 to sp18, we can not see
    indexes on Index Administration screen. When we tried to create the
    indexes from the beginning, we faced the message "An index with the samename already exists."
    We thought that the level of the Trex server(25) is low which may cause
    this problem and decided to update the Trex server to level 46. We
    downloaded "TREX70_46-20001842.SAR TREX 7.0 REV 46" from
    service.sap.com and tried to update Trex server according to
    NW70_SPSTACK_GUIDE_SPS18.pdf.During the installation a warning
    message "You started an installation of sofware for platform
    i386, but SAPinst is running on platform AMD64" was given. When we
    continued the installation, an error message
    was shown in a message box."Running msiexec.exe failed with return code
    1603:Fatal error during installation. Commandline was
    msiexec.exe/norestart/L sapmmcx86u.log/i sapmmcx86u.msi/qn" I searched
    the sapmmcx86u.log and the error message says that this installation
    package is not for windows
    2003 server 64 bit.
    "This installation does not support 64 Bit Windows Operating systems.
    Please use the corresponding 64 Bit installation package.
    Action ended 8:26:08: LaunchConditions. Return value 3.
    Action ended 8:26:08: INSTALL. Return value 3.
    MSI (s) (10:84) [08:26:08:578]: Product: SAP MMC SnapIn -- Installation
    failed."
    We searched in OSS notes and found the note "Note 1021003 - TREX 7.00 -
    Update Windows 2003 64-Bit installed from DVD"
    .We did the things in the note but unfortunately nothing changed.
    We tried the install revision 45,44 etc but we got the same warning and
    error messages.
    Any suggestions?
    Edited by: Tolga Akinci on Apr 30, 2009 3:08 PM

    Hi Tolga,
    You face with this error, because of Trex installation package is trying to install native i386 redistributables (vcredist_x86.msi) during the process. In order to patch Trex system on x64 architecture, follow the instructions, below;
    1) Start sapinst, under your <TREX_PATCH> path
    2) Ignore AMD64 warning popup
    3) When popup appears on the "1603:Fatal error during installation." error, change temp folders on both environment variables, on my computer
    4) Download and execute "vcredist_x64.exe" then run installer
    5) After respective installation click on "Retry" button on error popup
    At the end of this operation, your Trex patch will be succeeded. Please do not forget to undo your temp directory settings, on your Trex host. I hope that it is clarify your question.
    Best regards,
    Orkun Gedik
    Senior SAP Development And Basis Consultant

Maybe you are looking for