[gptalk] Re: Default Domain Policy corrupt, with 13

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 18 Aug 2006 17:05:06 -0700

Todd -
I should have also mentioned that in SYSVOL on the PDC emulator, for that
GPO, you will find a gpt.ini file in the root of the GUID-named policy
folder. In that file, there will also be a gpcUserExtensionsName property
that you'll want to remove the {353} GUID from as well.

Darren



-----Original Message-----
From: Darren Mar-Elia [mailto:darren@xxxxxxxxxx] 
Sent: Friday, August 18, 2006 4:56 PM
To: 'toddblake@xxxxxxxxxxxx'
Subject: RE: [gptalk] Re: Default Domain Policy corrupt, with 13

DCGPOFix will wipe the whole GPO. I can't remember the syntax but it may
even wipe out the Default DC Policy (double-check that). Here's another
option, but only if you're comfortable with AD and ADSIEDit. Go into
ADSIEdit, focused on the PDC role-holder. Open the CN=Policies,CN=System
container on the domain naming context. Find the GUID container of the
Default Domain Policy (Should start with {31B...). Right-click, Properties
on that GUID container and go down to the gpcUserExtensionNames attribute.
If you're comfortable getting and setting values there, you will find a list
of Client Side Extension GUIDs that are implemented in that GPO. Find one
that starts with {35378...} and remove that from the list. After that, I
suspect the error will go away. If not or if you're not comfortable doing
any of this, then DCGPOFix will probably suffice. If you do go the ADSIEdit
route, take an AD backup beforehand, just in case.



Darren



-----Original Message-----
From: toddblake@xxxxxxxxxxxx [mailto:toddblake@xxxxxxxxxxxx]
Sent: Friday, August 18, 2006 4:49 PM
To: gptalk@xxxxxxxxxxxxx
Cc: Darren Mar-Elia
Subject: Re: [gptalk] Re: Default Domain Policy corrupt, with 13

Thanks Darren

Since I can't open up the policy to edit it, however I can see the computer
part of it if I click on  the Settings tab within GPMC, do you think at this
point I should run DCGPOFIX /Target:Domain and have it recreate the default
domain policy, then add back in the settings?

thanks

Todd
---- Darren Mar-Elia <darren@xxxxxxxxxx> wrote: 
> If the file is not there on any DC then I suspect the "corruption" 
> message is simply telling you that the AD part of the GPO says there 
> should be registry policy but the SYSVOL part is not finding it. Since 
> that file stores Admin. Template policy as well as Software 
> Restriction policy and a couple of others, you will have to recreate those
settings on that GPO.
> 
> Darren
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of toddblake@xxxxxxxxxxxx
> Sent: Friday, August 18, 2006 4:19 PM
> To: gptalk@xxxxxxxxxxxxx
> Cc: Mathieu CHATEAU
> Subject: [gptalk] Re: Default Domain Policy corrupt, with 13
> 
> Mathieu.
> 
> also, upon further inspection, I can't even find a registry.pol file 
> in that directory, anywhere underneath the policy guid, that's
strange.....
> 
> So I have no registry.pol file to "move out",
> 
> anything else I might try?
> 
> thanks again.
> 
> Todd
> 
> ---- Mathieu CHATEAU <gollum123@xxxxxxx> wrote: 
> > Hello toddblake,
> > 
> > What i would do:
> > -Log on the PDC.
> > -move out
> > c:\windows\sysvol\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Us
> > er
> > \registry.pol
> > -Go to the GPMC on the server.
> > -Make a change to force a new ID for this gpo -Force a sync between 
> > DC
> > 
> > Cheers,
> > Mathieu CHATEAU
> > http://lordoftheping.blogspot.com
> > 
> > Friday, August 18, 2006, 8:55:21 PM, you wrote:
> > 
> > tan> Hi everyone.
> > 
> > tan> I have a problem with our "Default Domain Policy", specifically 
> > tan> the user portion.  We are running both W2K and W2K3 DC's in W2K 
> > tan> Native mode.  Below message appears while trying to edit the 
> > tan> GPO on a
> W2K3 GPMC box.
> > 
> > tan> START*****************
> > tan> the file
> > tan> "\\...\policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\reg
> > tan> is try.pol" is not in a valid format. The file might be 
> > tan> corrupt. Use Group Policy Object Editor to reconfigure the 
> > tan> settings in this
> extension.
> > tan> END********************
> > 
> > tan> Below is from the Application Log,
> > tan> START***********************
> > tan> EventID 1000
> > tan> Windows cannot access the registry information at
> > tan>
> \\...\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\User\registry.po
> l with (13).
> > tan> END*************************
> > 
> > tan> Is there any way I can recover from this, I don't have a 
> > tan> useable system state and this has been happening for months.
> > tan> I've googled and come up with alot of hits but none with the (13)
error.
> > 
> > tan> Would it be possible for me to rename the registry.pol file and 
> > tan> then fire up GPMC and see if it notices there is no 
> > tan> registry.pol, would this create a blank one for this GP?
> > 
> > tan> Or should I run "DCGPOFIX.EXE /TARGET:DOMAIN" on a W2K3 box and 
> > tan> have it recreate the default policy and then add all the
> modifications back in?
> > 
> > tan> At this point I can't edit the gpo, it comes back with an
> "unspecified erro"
> > 
> > tan> Thanks for any suggestions.....
> > 
> > tan> Todd
> > tan> ***********************
> > tan> You can unsubscribe from gptalk by sending email to 
> > tan> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject 
> > tan> field OR by logging into the freelists.org Web interface.
> > tan> Archives for the list are available at 
> > tan> http://www.freelists.org/archives/gptalk/
> > tan> ************************
> > 
> > 
> > 
> > --
> > Best regards,
> >  Mathieu                            mailto:gollum123@xxxxxxx
> > 
> > ***********************
> > You can unsubscribe from gptalk by sending email to 
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field 
> > OR by logging into the freelists.org Web interface. Archives for the 
> > list are available at http://www.freelists.org/archives/gptalk/
> > ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field 
> OR by logging into the freelists.org Web interface. Archives for the 
> list are available at http://www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to 
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field 
> OR by logging into the freelists.org Web interface. Archives for the 
> list are available at http://www.freelists.org/archives/gptalk/
> ************************


***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: