Re: Win2003 "cannot access the file gpt.ini"

From: NIC Student (nospam_at_nospam.land)
Date: 03/07/05 

Date: Sun, 6 Mar 2005 17:37:11 -0800

Hi Svein ,

I've seen this once before when the GPOs in a domain became corrupted or
damaged and could't be replicated, edited or used by clients. Group Policy
may fail because the workstations cannot read all the GPOs and then will
stick with existing policy rather than accept changes when one of the GPOs
cannot be read. I still don't know why this happened although I tend to
think a certain antivirus program messed the permissions up.

The sysvol share is present on your domain controllers. Look for the share
on your dcs and if they don't have one then there is indeed a big problem.
You can access sysvol by Start>Run>"\\dcname\sysvol">OK. Or you can get
there by \\domain name\sysvol. Default permissions can be found in this
article:

SYSVOL junction inherits NTFS permissions from the drive root
http://support.microsoft.com/default.aspx?scid=kb;en-us;319808

In the case I mentioned above, I tried looking at permissions and such, but
the gpt.ini file was actually missing from the GPO and permissions were
fine, so we created a new blank GPO, then copied its gpt.ini back to the
broken GPO, deleted the blank GPO and all was well. 

-- 
Scott Baldridge
Windows Server MVP, MCSE
"Svein Terje Gaup"
> Hi alle, and thanks in advance for any help provided...
>
> I have installed Windows Server 2003 as a "first server on the network". 
> Now I keep getting two separate errors every minute in the application 
> log:
>
> Event ID: 1030
> Windows cannot query for the list of Group Policy objects. Check the event 
> log for possible messages previously logged by the policy engine that 
> describes the reason for this.
>
> EventID: 1058
> Windows cannot access the file gpt.ini for GPO 
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=home,DC=local. 
> The file must be present at the location 
> <\\home.local\sysvol\home.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. 
> (Configuration information could not be read from the domain controller, 
> either because the machine is unavailable, or access has been denied. ). 
> Group Policy processing aborted.
>
> The server is set up with the following roles:
> - Domain Controller
> - DNS Server - forward lookup to internal Router for unresolved queries
> - RRAS with NAT and Basic Firewall
> - DHCP Server
>
> The server is set up as a multihomed machine with two nics. One nic named 
> "LAN" connects to the internal LAN (the 192.168.0.0/24 subnet). The other 
> is named "WAN" and connects to a subnet (10.0.0.0/24) with only one router 
> connected in addition to the server. The WAN nic is setup to automatically 
> receive its IP adress from the (Cisco) router.
>
> I've read this KB article: 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;842804&sd=ee
>
> It suggests that I should ensure these four things:
>     - Netlogon and DFS services are started. => Check!
>     - Domain controllers have the read and apply rights to the Domain 
> Controllers Policy. => I cannot access the Group Policy snapin, I get this 
> message when trying to open the Domain Security Policy: Failed to open the 
> Group Policy Object. You may not have appropriate rights.
>     - NTFS file system permissions and share permissions are set correctly 
> on the Sysvol share. => How do I find and access this share? It does not 
> seem to be an ordinar file share.
>     - DNS entries are correct for the domain controllers. => Check!
>
>
> This article intended for Small Business Server describes the problem 
> quite accurately: 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;888943&sd=ee, but 
> the solution is to correct an incorrect domain name. My domain name is 
> correct, and I'm not running SBS.
>
> Does anybody have an idea what might be wrong? Anything I should try?
>
> -- 
> mvh
> Svein Terje Gaup
>
>

Relevant Pages

  • RE: Migrating Group Policy
    ... So I think you must run Security Translation on the Terminal Service Server ... You can check the group domain in the TS permissions (it must be ... OU's to delegate administration & apply group policy. ...
    (microsoft.public.windows.server.active_directory)
  • RE: ISA 2004 REPORT FAILURE
    ... regarding Group Policy refresh has been set inappropriately. ... Microsoft CSS Online Newsgroup Support ... check remotly on the server at about 10pm ... This morning permissions were ...
    (microsoft.public.windows.server.sbs)
  • Re: Getting desperate: GPO applying incorrectly, PLEASE HELP ME!!
    ... GPO security settings from the defauts. ... Restart the workstation computer and the Terminal server, ... I've chosen these settings only because the affect is easy to observe. ... add check mark in the Deny column for Apply Group Policy ...
    (microsoft.public.windows.group_policy)
  • Re: Help with GPO problem! PLEASE!!
    ... Can you create a new GPO?? ... If so use it to compare permissions to the two ... > Configuration information could not be read from the domain controller, ... Failed to open the Group Policy Object. ...
    (microsoft.public.windows.group_policy)
  • Re: TS Login Problem to challenge the brightest TS Gurus
    ... Server development team sometimes get confused by multiple levels of access ... it is not very likely that group policy corruption on PDC ... Check permissions on TS Connection object (aka listener aka ... Make sure all users are in the LOCAL Remote Desktop Users group on the ...
    (microsoft.public.windows.terminal_services)