Re: GPO error no appropriate rights

Hello Dan,

Thank you for posting in the SBS newsgroup.

Also, many thanks for Susan's great input.

According to your description, I understand that you recevied the "Failed
to open group policy object. You may not have appropriate rights." error
message when you try to edit a GPO while logged on as the system admin. If
I have misunderstood your concern, please don't hesitate to let me know.

First of all, please refer to the Brief of the main process to disable the
Windows XP SP2 via GPO to verify your configuration:

1. Install the Windows Small Business Server 2003 Update for Windows XP
SP2. To obtain this update, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=D70097C2-4317-40E0-
B7DA-FEB52C6B6386&displaylang=en

2. Install the hotfix that is described in article 842933.

842933 "The following entry in the [strings] section is too long and
has been truncated" error message when you try to modify or to view GPOs in
Windows Server 2003, Windows XP Professional, or Windows 2000
http://support.microsoft.com/?id=842933

3. After you finished the above steps, please refer to the following
steps to disable the Windows XP SP2 firewall.

A. Open the Server Management Console on the SBS Server.

B. Expand Advanced Management, go to Group Policy Management ->
DomainName.local -> Small Business Server Client Computer

C. Right-click the "Small Business Server Client Computer" node and
select Edit

D. On the Group Policy Object Editor page, go to Computer
Configuration -> Administrative Templates -> Network -> Network Connections

E. On the right pane, enable the "Prohibit use of Internet Connection
Firewall on your DNS domain network" option.

4. To update Group Policy on the Windows XP SP2-based client computers,
either restart the client computers or run the gpupdate /force command on
the client computers.


After finished verify the above steps, if the issue persists, it's maybe
related to DNS, WINS, netlogon, please try to perform the following steps:


1. Please check the regedit key configuration on the SBS 2003 Server.

Regedit key = Hkey_Classes_Root/MSCfile\Shell\Open\Command

Key Value = %SystemRoot%\system32\mmc.exe "%1" %*

Regedit key =
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Sys
volReady

Key Value = 1

2. Please check the DNS and WINS configuration.


If the issue persists, please help me collect the following information for
further troubleshooting:

1. Please open the system Event Viewer on the SBS 2003 Server, and check
whether there are any error messages about this issue, then paste the full
context in your reply.

2. At the SBS Server and one of your workstations, please run "Ipconfig
/all" and copy the content of the output then paste in your reply.


Otherwise, based on my research, there is no GPO method to prevent users
from disabling the ISA Firewall client.

I'm looking forward to your update. If you have any questions or concerns,
please do not hesitate to let me know. I am always happy to be of further
assistance.

Best regards,

Nathan Liu (MSFT)

Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
>Thread-Topic: GPO error no appropriate rights
>thread-index: AcVqkhQObfJIiItzSmC0D+f4VlpHnw==
>X-WBNR-Posting-Host: 198.144.3.30
>From: =?Utf-8?B?RGFuIFNoYWxsYmV0dGVy?=
<DanShallbetter@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <D058B966-4A77-4C16-9778-55DBBC124228@xxxxxxxxxxxxx>
<#tT$8shaFHA.3840@xxxxxxxxxxxxxxxxxxxx>
<61F4012E-D9FF-4DFF-A843-FB3027F4CBB9@xxxxxxxxxxxxx>
<eAJd3dkaFHA.2996@xxxxxxxxxxxxxxxxxxxx>
>Subject: Re: GPO error no appropriate rights
>Date: Mon, 6 Jun 2005 05:20:08 -0700
>Lines: 102
>Message-ID: <86EF0572-815A-441D-80D8-641CA14BA660@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:124769
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>I am on the server as the admin use. The account belongs to the following
>groups:
>Administrator
>Domain User
>Enterprise Administrator
>Group Policy Creator owner
>Internet Users
>Mobile User
>Schema Administrator
>
>I will re-check the patch. My patch came from a tech-net article that I
>thought was for 2003.
>
>Thanks
>
>Dan
>
>
>"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
>
>> Download details: Update for Windows Server 2003 (KB842933):
>>
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=
532A4CD0-F2CE-4FA7-92AB-AC336AD18409&displaylang=en
>>
>>
>> This patch? That's a 2k3 patch...not sure why you are having an issue
>> with it?
>>
>> Review the group memberships of the built in administrator
>> account...what group memberships do you have?
>>
>> Are you logged into the server? You can just 'unenable' the gpo link.
>>
>> Well one way you can block that is make them restricted uses on the
>> local machine. Maybe I have stupid users, but they never disable the
>> ISA client. They don't even notice it's there. I'm guessing that you
>> can acl the ISA client or something but I'd have to google to see if I
>> can find something. You might want to check with the gang on
isaserver.org
>>
>> Dan Shallbetter wrote:
>> > The exact error is:
>> >
>> > Failed to open group policy object. You may not have appropriate
rights.
>> >
>> > Details: The Parameter is invalid
>> >
>> > This error occurs when I try to edit a GPO while logged on as the
system
>> > admin.
>> >
>> > When I try to install that update on Saturday. And got a wrong OS
warning,
>> > it appeared the patch was for server 2000.
>> >
>> > E-Trust (Computer Associates) is my anti-virus software. I think the
only
>> > thing blocking it is the SP2 firewall. On my SBS 4.5 server I had to
disable
>> > the firewall before I could remote install the client app. I would
like to
>> > disable the XP SP2 firewall just long enough to install the client
software.
>> >
>> > I would like to prevent users from turning off the ISA clients, How do
I do
>> > this using GPO?
>> >
>> > I am running a Progress Database ERP application on my SBS server.
They
>> > have strongly advised turning off the firewall in XP SP2 (as in we
will not
>> > support you if you run SP2). My initial testing (4 days) indicates
that the
>> > application runs with both the ISA client and SP2 firewall running.
>> >
>> > "Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
>> >
>> >
>> >>Can you give the exact error? I don't think it's rights
>> >>Download details: Update for Windows Server 2003 (KB842933):
>>
>>http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyi
d=532A4CD0-F2CE-4FA7-92AB-AC336AD18409&displaylang=en
>> >>
>> >>
>> >>I would just all the Etrust exclusions in the group policy and leave
on
>> >>the XP sp2 firewall.. you want to make your workstations PART of your
>> >>security stance. Leave them on... you need it in place for layers of
>> >>defenses
>> >>
>> >>Dan Shallbetter wrote:
>> >>
>> >>>I am trying to install E-trust Inoculate on my XP SP2 machines. I
need to
>> >>>disable the XP firewall & Microsoft Anti Virus. I installed patch
87269 on my
>> >>>SBS2003 server and did an auto updated on the XP machine. I can not
change
>> >>>the firewall status at the local machine, as it is controlled by
domain
>> >>>policy. When I try to edit a GPO I get a group policy error message
telling
>> >>>me I may not have appropriate rights. I am logged on as the admin.
What is
>> >>>the best way to fix this problem? Also I would like to prevent users
from
>> >>>disabling the ISA client, is this something I would do using a group
policy?
>> >>>
>> >>>Thanks
>> >>>
>> >>>Dan
>> >>>
>> >>
>> >>--
>> >>An open letter to the Security Community::
>> >>http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
>> >>
>>
>> --
>> An open letter to the Security Community::
>> http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
>>
>

.

Relevant Pages

  • RE: Fax monitor incoming + outgoing calls?
    ... problem between the client computer and the SBS server. ... Client is using the internal IP address of the SBS server as the ... To the folder redirection GPO issue: ...
    (microsoft.public.windows.server.sbs)
  • RE: (Very) Slow browsing server shares - Net Work Monitor shows ca
    ... If this issue happen only when browse shared folders on SBS from one XP ... client computer, this will be a client side error. ... click to check the "Hide All Microsoft Services" ... Digitally sign communications (if server ...
    (microsoft.public.windows.server.sbs)
  • RE: No Client or Server Desktop Access Through RWW SBS 2003 SP2
    ... internal client Remote Desktop via RWW. ... Please perform the steps on the SBS and internal client computers: ... Click Remote tab, tick Enable Remote Desktop on this computer ... On the SBS server, click Start, click Run, type "regedit" (without the ...
    (microsoft.public.windows.server.sbs)
  • RE: trouble with shared fax service
    ... Thank you for posting in SBS newsgroup. ... install fax service on client computers. ... the SBS server or on the client workstation. ... and then choose 'Install' for the 'Fax Services' item. ...
    (microsoft.public.windows.server.sbs)
  • Re: Small Biz Design
    ... After we installed SBS 2003 successfully on the server box, the Client ... >When we setup SBS 2003 server using installation disks, ...
    (microsoft.public.windows.server.sbs)