Re: GPO error no appropriate rights
- From: v-natliu@xxxxxxxxxxxxxxxxxxxx (Nathan Liu [MSFT])
- Date: Tue, 07 Jun 2005 00:16:46 GMT
Hello Dan,
Thank you for posting back! I'm glad to hear that things are working
correctly for you now.
Please do not hesitate to post in this great newsgroup if you need any
assistance in the future. I look forward to working with you again.
Best regards,
Nathan Liu (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Thread-Topic: GPO error no appropriate rights
>thread-index: AcVqpe1JIyoMVN3cSv6aABQeRe9W5g==
>X-WBNR-Posting-Host: 198.144.3.30
>From: =?Utf-8?B?RGFuIFNoYWxsYmV0dGVy?=
<DanShallbetter@xxxxxxxxxxxxxxxxxxxxxxxxx>
>References: <D058B966-4A77-4C16-9778-55DBBC124228@xxxxxxxxxxxxx>
<#tT$8shaFHA.3840@xxxxxxxxxxxxxxxxxxxx>
<61F4012E-D9FF-4DFF-A843-FB3027F4CBB9@xxxxxxxxxxxxx>
<eAJd3dkaFHA.2996@xxxxxxxxxxxxxxxxxxxx>
<86EF0572-815A-441D-80D8-641CA14BA660@xxxxxxxxxxxxx>
<BrSr9apaFHA.2184@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: GPO error no appropriate rights
>Date: Mon, 6 Jun 2005 07:42:13 -0700
>Lines: 271
>Message-ID: <E01A559E-064E-4EF6-8F04-A64F3AE80D57@xxxxxxxxxxxxx>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.sbs
>NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:124804
>X-Tomcat-NG: microsoft.public.windows.server.sbs
>
>Thank you both for your replies
>
>I have applied both hotfixes.
>
>The first reg key edit fixed the problem. I disabled the GPO earlier per
>Susan's suggestion and that allowed me to disable the firewall client
locally.
>
>Dan
>
>
>"Nathan Liu [MSFT]" wrote:
>
>> Hello Dan,
>>
>> Thank you for posting in the SBS newsgroup.
>>
>> Also, many thanks for Susan's great input.
>>
>> According to your description, I understand that you recevied the
"Failed
>> to open group policy object. You may not have appropriate rights." error
>> message when you try to edit a GPO while logged on as the system admin.
If
>> I have misunderstood your concern, please don't hesitate to let me know.
>>
>> First of all, please refer to the Brief of the main process to disable
the
>> Windows XP SP2 via GPO to verify your configuration:
>>
>> 1. Install the Windows Small Business Server 2003 Update for Windows
XP
>> SP2. To obtain this update, visit the following Microsoft Web site:
>>
>>
http://www.microsoft.com/downloads/details.aspx?FamilyId=D70097C2-4317-40E0-
>> B7DA-FEB52C6B6386&displaylang=en
>>
>> 2. Install the hotfix that is described in article 842933.
>>
>> 842933 "The following entry in the [strings] section is too long
and
>> has been truncated" error message when you try to modify or to view GPOs
in
>> Windows Server 2003, Windows XP Professional, or Windows 2000
>> http://support.microsoft.com/?id=842933
>>
>> 3. After you finished the above steps, please refer to the following
>> steps to disable the Windows XP SP2 firewall.
>>
>> A. Open the Server Management Console on the SBS Server.
>>
>> B. Expand Advanced Management, go to Group Policy Management ->
>> DomainName.local -> Small Business Server Client Computer
>>
>> C. Right-click the "Small Business Server Client Computer" node and
>> select Edit
>>
>> D. On the Group Policy Object Editor page, go to Computer
>> Configuration -> Administrative Templates -> Network -> Network
Connections
>>
>> E. On the right pane, enable the "Prohibit use of Internet
Connection
>> Firewall on your DNS domain network" option.
>>
>> 4. To update Group Policy on the Windows XP SP2-based client computers,
>> either restart the client computers or run the gpupdate /force command
on
>> the client computers.
>>
>>
>> After finished verify the above steps, if the issue persists, it's maybe
>> related to DNS, WINS, netlogon, please try to perform the following
steps:
>>
>>
>> 1. Please check the regedit key configuration on the SBS 2003 Server.
>>
>> Regedit key = Hkey_Classes_Root/MSCfile\Shell\Open\Command
>>
>> Key Value = %SystemRoot%\system32\mmc.exe "%1" %*
>>
>> Regedit key =
>>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Sys
>> volReady
>>
>> Key Value = 1
>>
>> 2. Please check the DNS and WINS configuration.
>>
>>
>> If the issue persists, please help me collect the following information
for
>> further troubleshooting:
>>
>> 1. Please open the system Event Viewer on the SBS 2003 Server, and
check
>> whether there are any error messages about this issue, then paste the
full
>> context in your reply.
>>
>> 2. At the SBS Server and one of your workstations, please run "Ipconfig
>> /all" and copy the content of the output then paste in your reply.
>>
>>
>> Otherwise, based on my research, there is no GPO method to prevent users
>> from disabling the ISA Firewall client.
>>
>> I'm looking forward to your update. If you have any questions or
concerns,
>> please do not hesitate to let me know. I am always happy to be of
further
>> assistance.
>>
>> Best regards,
>>
>> Nathan Liu (MSFT)
>>
>> Microsoft CSS Online Newsgroup Support
>> Get Secure! - www.microsoft.com/security
>> =====================================================
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
rights.
>>
>>
>>
>> --------------------
>> >Thread-Topic: GPO error no appropriate rights
>> >thread-index: AcVqkhQObfJIiItzSmC0D+f4VlpHnw==
>> >X-WBNR-Posting-Host: 198.144.3.30
>> >From: =?Utf-8?B?RGFuIFNoYWxsYmV0dGVy?=
>> <DanShallbetter@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >References: <D058B966-4A77-4C16-9778-55DBBC124228@xxxxxxxxxxxxx>
>> <#tT$8shaFHA.3840@xxxxxxxxxxxxxxxxxxxx>
>> <61F4012E-D9FF-4DFF-A843-FB3027F4CBB9@xxxxxxxxxxxxx>
>> <eAJd3dkaFHA.2996@xxxxxxxxxxxxxxxxxxxx>
>> >Subject: Re: GPO error no appropriate rights
>> >Date: Mon, 6 Jun 2005 05:20:08 -0700
>> >Lines: 102
>> >Message-ID: <86EF0572-815A-441D-80D8-641CA14BA660@xxxxxxxxxxxxx>
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="Utf-8"
>> >Content-Transfer-Encoding: 7bit
>> >X-Newsreader: Microsoft CDO for Windows 2000
>> >Content-Class: urn:content-classes:message
>> >Importance: normal
>> >Priority: normal
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> >Newsgroups: microsoft.public.windows.server.sbs
>> >NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> >Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> >Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:124769
>> >X-Tomcat-NG: microsoft.public.windows.server.sbs
>> >
>> >I am on the server as the admin use. The account belongs to the
following
>> >groups:
>> >Administrator
>> >Domain User
>> >Enterprise Administrator
>> >Group Policy Creator owner
>> >Internet Users
>> >Mobile User
>> >Schema Administrator
>> >
>> >I will re-check the patch. My patch came from a tech-net article that I
>> >thought was for 2003.
>> >
>> >Thanks
>> >
>> >Dan
>> >
>> >
>> >"Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
>> >
>> >> Download details: Update for Windows Server 2003 (KB842933):
>> >>
>>
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=
>> 532A4CD0-F2CE-4FA7-92AB-AC336AD18409&displaylang=en
>> >>
>> >>
>> >> This patch? That's a 2k3 patch...not sure why you are having an
issue
>> >> with it?
>> >>
>> >> Review the group memberships of the built in administrator
>> >> account...what group memberships do you have?
>> >>
>> >> Are you logged into the server? You can just 'unenable' the gpo link.
>> >>
>> >> Well one way you can block that is make them restricted uses on the
>> >> local machine. Maybe I have stupid users, but they never disable the
>> >> ISA client. They don't even notice it's there. I'm guessing that
you
>> >> can acl the ISA client or something but I'd have to google to see if
I
>> >> can find something. You might want to check with the gang on
>> isaserver.org
>> >>
>> >> Dan Shallbetter wrote:
>> >> > The exact error is:
>> >> >
>> >> > Failed to open group policy object. You may not have appropriate
>> rights.
>> >> >
>> >> > Details: The Parameter is invalid
>> >> >
>> >> > This error occurs when I try to edit a GPO while logged on as the
>> system
>> >> > admin.
>> >> >
>> >> > When I try to install that update on Saturday. And got a wrong OS
>> warning,
>> >> > it appeared the patch was for server 2000.
>> >> >
>> >> > E-Trust (Computer Associates) is my anti-virus software. I think
the
>> only
>> >> > thing blocking it is the SP2 firewall. On my SBS 4.5 server I had
to
>> disable
>> >> > the firewall before I could remote install the client app. I would
>> like to
>> >> > disable the XP SP2 firewall just long enough to install the client
>> software.
>> >> >
>> >> > I would like to prevent users from turning off the ISA clients, How
do
>> I do
>> >> > this using GPO?
>> >> >
>> >> > I am running a Progress Database ERP application on my SBS server.
>> They
>> >> > have strongly advised turning off the firewall in XP SP2 (as in we
>> will not
>> >> > support you if you run SP2). My initial testing (4 days) indicates
>> that the
>> >> > application runs with both the ISA client and SP2 firewall running.
>> >> >
>> >> > "Susan Bradley, CPA aka Ebitz - SBS Rocks" wrote:
>> >> >
>> >> >
>> >> >>Can you give the exact error? I don't think it's rights
>> >> >>Download details: Update for Windows Server 2003 (KB842933):
>> >>
>>
>>http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyi
>> d=532A4CD0-F2CE-4FA7-92AB-AC336AD18409&displaylang=en
>> >> >>
>> >> >>
>> >> >>I would just all the Etrust exclusions in the group policy and
leave
>> on
>> >> >>the XP sp2 firewall.. you want to make your workstations PART of
your
>> >> >>security stance. Leave them on... you need it in place for layers
of
>> >> >>defenses
>> >> >>
>> >> >>Dan Shallbetter wrote:
>> >> >>
>> >> >>>I am trying to install E-trust Inoculate on my XP SP2 machines. I
>> need to
>> >> >>>disable the XP firewall & Microsoft Anti Virus. I installed patch
>> 87269 on my
>> >> >>>SBS2003 server and did an auto updated on the XP machine. I can
not
>> change
>> >> >>>the firewall status at the local machine, as it is controlled by
>> domain
>> >> >>>policy. When I try to edit a GPO I get a group policy error
message
>> telling
>> >> >>>me I may not have appropriate rights. I am logged on as the admin.
>> What is
>> >> >>>the best way to fix this problem? Also I would like to prevent
users
>> from
>> >> >>>disabling the ISA client, is this something I would do using a
group
>> policy?
>> >> >>>
>> >> >>>Thanks
>> >> >>>
>> >> >>>Dan
>> >> >>>
>> >> >>
>> >> >>--
>> >> >>An open letter to the Security Community::
>> >> >>http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
>> >> >>
>> >>
>> >> --
>> >> An open letter to the Security Community::
>> >> http://msmvps.com/bradley/archive/2004/12/12/23540.aspx
>> >>
>> >
>>
>>
>
.
- References:
- GPO error no appropriate rights
- From: Dan Shallbetter
- Re: GPO error no appropriate rights
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: GPO error no appropriate rights
- From: Dan Shallbetter
- Re: GPO error no appropriate rights
- From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
- Re: GPO error no appropriate rights
- From: Dan Shallbetter
- Re: GPO error no appropriate rights
- From: Nathan Liu [MSFT]
- Re: GPO error no appropriate rights
- From: Dan Shallbetter
- GPO error no appropriate rights
- Prev by Date: 550-Verification failed
- Next by Date: Re: How to set up Clients with...
- Previous by thread: Re: GPO error no appropriate rights
- Next by thread: Re: Mobile user remote access
- Index(es):
Relevant Pages
|
