Re: GPO error no appropriate rights

Thank you both for your replies

I have applied both hotfixes.

The first reg key edit fixed the problem. I disabled the GPO earlier per
Susan's suggestion and that allowed me to disable the firewall client locally.

Dan


"Nathan Liu [MSFT]" wrote:

> Hello Dan,
>
> Thank you for posting in the SBS newsgroup.
>
> Also, many thanks for Susan's great input.
>
> According to your description, I understand that you recevied the "Failed
> to open group policy object. You may not have appropriate rights." error
> message when you try to edit a GPO while logged on as the system admin. If
> I have misunderstood your concern, please don't hesitate to let me know.
>
> First of all, please refer to the Brief of the main process to disable the
> Windows XP SP2 via GPO to verify your configuration:
>
> 1. Install the Windows Small Business Server 2003 Update for Windows XP
> SP2. To obtain this update, visit the following Microsoft Web site:
>
> http://www.microsoft.com/downloads/details.aspx?FamilyId=D70097C2-4317-40E0-
> B7DA-FEB52C6B6386&displaylang=en
>
> 2. Install the hotfix that is described in article 842933.
>
> 842933 "The following entry in the [strings] section is too long and
> has been truncated" error message when you try to modify or to view GPOs in
> Windows Server 2003, Windows XP Professional, or Windows 2000
> http://support.microsoft.com/?id=842933
>
> 3. After you finished the above steps, please refer to the following
> steps to disable the Windows XP SP2 firewall.
>
> A. Open the Server Management Console on the SBS Server.
>
> B. Expand Advanced Management, go to Group Policy Management ->
> DomainName.local -> Small Business Server Client Computer
>
> C. Right-click the "Small Business Server Client Computer" node and
> select Edit
>
> D. On the Group Policy Object Editor page, go to Computer
> Configuration -> Administrative Templates -> Network -> Network Connections
>
> E. On the right pane, enable the "Prohibit use of Internet Connection
> Firewall on your DNS domain network" option.
>
> 4. To update Group Policy on the Windows XP SP2-based client computers,
> either restart the client computers or run the gpupdate /force command on
> the client computers.
>
>
> After finished verify the above steps, if the issue persists, it's maybe
> related to DNS, WINS, netlogon, please try to perform the following steps:
>
>
> 1. Please check the regedit key configuration on the SBS 2003 Server.
>
> Regedit key = Hkey_Classes_Root/MSCfile\Shell\Open\Command
>
> Key Value = %SystemRoot%\system32\mmc.exe "%1" %*
>
> Regedit key =
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Sys
> volReady
>
> Key Value = 1
>
> 2. Please check the DNS and WINS configuration.
>
>
> If the issue persists, please help me collect the following information for
> further troubleshooting:
>
> 1. Please open the system Event Viewer on the SBS 2003 Server, and check
> whether there are any error messages about this issue, then paste the full
> context in your reply.
>
> 2. At the SBS Server and one of your workstations, please run "Ipconfig
> /all" and copy the content of the output then paste in your reply.
>
>
> Otherwise, based on my research, there is no GPO method to prevent users
> from disabling the ISA Firewall client.
>
> I'm looking forward to your update. If you have any questions or concerns,
> please do not hesitate to let me know. I am always happy to be of further
> assistance.
>
> Best regards,
>
> Nathan Liu (MSFT)
>
> Microsoft CSS Online Newsgroup Support
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
> --------------------
> >Thread-Topic: GPO error no appropriate rights
> >thread-index: AcVqkhQObfJIiItzSmC0D+f4VlpHnw==
> >X-WBNR-Posting-Host: 198.144.3.30
> >From: =?Utf-8?B?RGFuIFNoYWxsYmV0dGVy?=
> <DanShallbetter@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >References: <D058B966-4A77-4C16-9778-55DBBC124228@xxxxxxxxxxxxx>
> <#tT$8shaFHA.3840@xxxxxxxxxxxxxxxxxxxx>
> <61F4012E-D9FF-4DFF-A843-FB3027F4CBB9@xxxxxxxxxxxxx>
> <eAJd3dkaFHA.2996@xxxxxxxxxxxxxxxxxxxx>
> >Subject: Re: GPO error no appropriate rights
> >Date: Mon, 6 Jun 2005 05:20:08 -0700
> >Lines: 102
> >Message-ID: <86EF0572-815A-441D-80D8-641CA14BA660@xxxxxxxxxxxxx>
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="Utf-8"
> >Content-Transfer-Encoding: 7bit
> >X-Newsreader: Microsoft CDO for Windows 2000
> >Content-Class: urn:content-classes:message
> >Importance: normal
> >Priority: normal
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> >Newsgroups: microsoft.public.windows.server.sbs
> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:124769
> >X-Tomcat-NG: microsoft.public.windows.server.sbs
> >
> >I am on the server as the admin use. The account belongs to the following
> >groups:
> >Administrator
> >Domain User
> >Enterprise Administrator
> >Group Policy Creator owner
> >Internet Users
> >Mobile User
> >Schema Administrator
> >
> >I will re-check the patch. My patch came from a tech-net article that I
> >thought was for 2003.
> >
> >Thanks
> >
> >Dan
> >
> >
> >"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
> >
> >> Download details: Update for Windows Server 2003 (KB842933):
> >>
> http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=
> 532A4CD0-F2CE-4FA7-92AB-AC336AD18409&displaylang=en
> >>
> >>
> >> This patch? That's a 2k3 patch...not sure why you are having an issue
> >> with it?
> >>
> >> Review the group memberships of the built in administrator
> >> account...what group memberships do you have?
> >>
> >> Are you logged into the server? You can just 'unenable' the gpo link.
> >>
> >> Well one way you can block that is make them restricted uses on the
> >> local machine. Maybe I have stupid users, but they never disable the
> >> ISA client. They don't even notice it's there. I'm guessing that you
> >> can acl the ISA client or something but I'd have to google to see if I
> >> can find something. You might want to check with the gang on
> isaserver.org
> >>
> >> Dan Shallbetter wrote:
> >> > The exact error is:
> >> >
> >> > Failed to open group policy object. You may not have appropriate
> rights.
> >> >
> >> > Details: The Parameter is invalid
> >> >
> >> > This error occurs when I try to edit a GPO while logged on as the
> system
> >> > admin.
> >> >
> >> > When I try to install that update on Saturday. And got a wrong OS
> warning,
> >> > it appeared the patch was for server 2000.
> >> >
> >> > E-Trust (Computer Associates) is my anti-virus software. I think the
> only
> >> > thing blocking it is the SP2 firewall. On my SBS 4.5 server I had to
> disable
> >> > the firewall before I could remote install the client app. I would
> like to
> >> > disable the XP SP2 firewall just long enough to install the client
> software.
> >> >
> >> > I would like to prevent users from turning off the ISA clients, How do
> I do
> >> > this using GPO?
> >> >
> >> > I am running a Progress Database ERP application on my SBS server.
> They
> >> > have strongly advised turning off the firewall in XP SP2 (as in we
> will not
> >> > support you if you run SP2). My initial testing (4 days) indicates
> that the
> >> > application runs with both the ISA client and SP2 firewall running.
> >> >
> >> > "Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
> >> >
> >> >
> >> >>Can you give the exact error? I don't think it's rights
> >> >>Download details: Update for Windows Server 2003 (KB842933):
> >>
> >>http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyi
> d=532A4CD0-F2CE-4FA7-92AB-AC336AD18409&displaylang=en
> >> >>
> >> >>
> >> >>I would just all the Etrust exclusions in the group policy and leave
> on
> >> >>the XP sp2 firewall.. you want to make your workstations PART of your
> >> >>security stance. Leave them on... you need it in place for layers of
> >> >>defenses
> >> >>
> >> >>Dan Shallbetter wrote:
> >> >>
> >> >>>I am trying to install E-trust Inoculate on my XP SP2 machines. I
> need to
> >> >>>disable the XP firewall & Microsoft Anti Virus. I installed patch
> 87269 on my
> >> >>>SBS2003 server and did an auto updated on the XP machine. I can not
> change
> >> >>>the firewall status at the local machine, as it is controlled by
> domain
> >> >>>policy. When I try to edit a GPO I get a group policy error message
> telling
> >> >>>me I may not have appropriate rights. I am logged on as the admin.
> What is
> >> >>>the best way to fix this problem? Also I would like to prevent users
> from
> >> >>>disabling the ISA client, is this something I would do using a group
> policy?
> >> >>>
> >> >>>Thanks
> >> >>>
> >> >>>Dan
> >> >>>
> >> >>
> >> >>--
> >> >>An open letter to the Security Community::
> >> >>http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
> >> >>
> >>
> >> --
> >> An open letter to the Security Community::
> >> http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
> >>
> >
>
>
.

Relevant Pages

  • Re: GPO error no appropriate rights
    ... Microsoft CSS Online Newsgroup Support ... GPO error no appropriate rights ... >> Windows XP SP2 via GPO to verify your configuration: ... Install the Windows Small Business Server 2003 Update for Windows ...
    (microsoft.public.windows.server.sbs)
  • Re: failed admin pak installation - w2k3
    ... Please try disabling WFP on a production machine, ... Microsoft MVP: Windows Server ... I can install this admin pak in my test environment w/o any issue. ...
    (microsoft.public.windows.server.setup)
  • Re: Time Server [WildPacket]
    ... > Applied a GPO to a test server running 2003 Server and one client ... > Enable Windows NTP Client: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Disabling ICF through GPO
    ... I first pre-created a "Firewall GPO" on the server then I just opened ... MMC on an XP-SP2 machine and used it's MMC to edit the GPO I had created on ... "Deploying Windows Firewall Settings for Microsoft Windows XP with Service ...
    (microsoft.public.windows.group_policy)
  • Re: RE: How to chnage registry by a GPO
    ... For Windows 2003 Server, in a GPO, ... Manage Your Server page at logon. ... >>>> I currently run a script to create/modify a registry ...
    (microsoft.public.win2000.group_policy)