Can't edit Group Policies

If I RDP into a server and use AD Users and Computers.  I can edit Group
Policies.  If I try the same thing from my XP computer using Administrative
Tools/Users Computers, the Edit button, and all other buttons except
Properties, is greyed out.
I am a Domain Admin.
What is the problem here?

Thanks

Try to download and install GPMC.

Try to download and install GPMC.

Just tried it. Same thing.

Just tried it.  Same thing.

Number of reasons are possible:1.

Number of reasons are possible:
1. Your XP client is not part of the domain you try to manage

2. Your XP got dropped from the domain and may need re-joining.

3. Firewall may be blocking you.

4. Firewall on the DC may be restricting RPC connections to certain ranges
of IP addresses.

In addition to Dusko's suggestions, have the full adminpak tools beeninstalled

In addition to Dusko's suggestions, have the full adminpak tools been
installed on your workstation, or just a subset of the tools?

Are there any errors in the event logs on your workstation, such as possibly
EventID#s 1030, 1058 or 11166?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

it is none of those. My machine is still part of the domain.

it is none of those.  My machine is still part of the domain.  Windows
firewall is turned off on the DC's.  My PC and the DC's are on the same
subnet.

I just checked, and I do not have any of those Event ID's.

I just checked, and I do not have any of those Event ID's.
Yes, I do have the full adminpak installed.

You do not have those EventIDs? On your workstation, DCs, or both?

You do not have those EventIDs? On your workstation, DCs, or both?

And the GPMC is useless, too?

Can you post an ipconfig /all of your workstation and from the DC,
preferrably from the PDC Emulator?

Are any of the DCs multihomed?

Ace

The only thing I can think of that has changed is, we added a 2008 server.

The only thing I can think of that has changed is, we added a 2008 server.
But it is still a member server.
See below..

On neither


Yes, the "edit" option is greyed out



Domain Controller
Windows IP Configuration

Host Name . . . . . . . . . . . . : bdadmin
Primary Dns Suffix  . . . . . . . : bd.local
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes
DNS Suffix Search List. . . . . . : bd.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) PRO/100 Network Connection
Physical Address. . . . . . . . . : 00-B0-D0-F9-DA-CE
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.3
DNS Servers . . . . . . . . . . . : 192.168.10.12
192.168.10.13
Primary WINS Server . . . . . . . : 192.168.10.12
Secondary WINS Server . . . . . . : 192.168.10.13
-------------------------------------------------------

XP Workstation

Windows IP Configuration

Host Name . . . . . . . . . . . . : DC3KBTK1
Primary Dns Suffix  . . . . . . . : bd.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : bd.local


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : Intel(R) 82567LM Gigabit Network
Con
nection
Physical Address. . . . . . . . . : 00-24-E8-C2-56-0C
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.10.48
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.3
DHCP Server . . . . . . . . . . . : 192.168.10.12
DNS Servers . . . . . . . . . . . : 192.168.10.12
192.168.10.13
Primary WINS Server . . . . . . . : 192.168.10.12
Secondary WINS Server . . . . . . : 192.168.10.13


No

Weird, now I just noticed other MMCs do not work, like DNS and DHCP.

Weird, now I just noticed other MMCs do not work, like DNS and DHCP.

I get "access is denied".  But it is fine from the server.

Thanks for posting that info.I see why it may not be working.

Thanks for posting that info.

I see why it may not be working. Check this out on the DC's ipconfg:


Curious, why is this enabled? Was RRAS enabled on it at one time?

Disable the two above, then run the following or restart the DC:

ipconfig /regsiterdns
restart the netlogon service

Go into DNS, make sure there is only one entry for the DC for the A record
and the LdapIpaddress records (the one that says 'same as parent), then go
into the SRVs, and make sure there is only one GC entry. Check the zone
properties, Nameserver tab and make sure there is only one IP for the DC's

Not sure. Maybe they used RRAS in the past. I just disabled it.

Not sure.  Maybe they used RRAS in the past.  I just disabled it.



I did a bit of Googling on disabling WINS Proxy, and all I found was a
registry change.  Is that what I need to do?

Did that after disabling RRAS.



Check.


Not sure what you mean by "go into the SRVs".



Yes, one for each DC.

Good. When you re-ran the ipconfig, does it say No to IP Routing Enablednow?

Good. When you re-ran the ipconfig, does it say No to IP Routing Enabled
now?



That's correct. I assume you already have the registry entries to disable
it. I wonder why they had enabled it. Nonetheless, either way, just make
sure it is turned off. Re-run ipconfig /all to ensure it says No.



The SRV folders are those folders with the underscores in front of their
names. The GC entries (Global Catalog) are in the following zone:
_msdcs.bd.local
under it you will see a "_gc" folder. Make sure the IPs are correct for all
your current DCs.


Good. Also, if you only have one domain, make sure all DCs are GCs. This is
an important recommendation.

Ace

Yes.Yes, the registry entry was in there. I just changed it.

Yes.


Yes, the registry entry was in there.  I just changed it.  Did a
Ipconfig/all,  interesting that is all it took for it to take affect.

One of many mysteries at this company.  The other thing that was odd..... in
the articles I found on changing the registry settings, it said it would be
set to 0 or 1.  Ours was set to 2.  I guess that meant *very* enabled.  :-)
I looked on the other DC in this domain and it was not enabled on there.
RRAS was.  So I disabled that too.  We are not using it.


Check.

Check.

Unfortunately at this point the Edit button is still greyed out.  I will
reboot the DC's this Thursday or Friday and try it again after that.
But I am glad I got these things taken care of  ;-)

The fact that RRAS is installed on a DC, makes it a multihomed DC, as wellas

The fact that RRAS is installed on a DC, makes it a multihomed DC, as well
as IP routing enabled. This is problematic with DCs, and may have been the
whole cause of the issue. Make sure DNS is clean of any records that do not
belong, such as if there are two A records for the DC, as well as the other
items I mentioned. Restarting the DCs, as well as the client, should
simplify it for the changes to take effect.

Let us know how you make out.

Ace

Rebooted DCs and my workstatation.

Rebooted DCs and my workstatation.  Same problem, the "edit" option is
greyed-out.  No errors in Event Viewer.
I even tried uninstalling/re-installing Admin Pak.
Very strange.  It worked at one time.
And like I said, the only thing I can think of that is changed is adding a
2008 Member server to the domain.

That's not good.

That's not good. I cannot see how adding a 2008 member server has anything to
do with it. I assume you did not run adprep?

I assume that any records that do not belong in DNS have been removed, if
there were any. All DCs are now GCs, and they show up in
_gc._msdcs.bd.local.

When you open the GPMC, under Domains, and your bd.local, right click
bd.local, choose Change Domain Controller, change it to the other DC and see
if it works.

Ace

I would also create a brand new OU (TempTestOU) and see if Edit option

I would also create a brand new OU (TempTestOU) and see if Edit option is
grayed there as well.
BTW permissions on objedcts in AD are much more complex than NTFS
permissions.

I surely hope permissions were not altered in AD (ADSI Edite, ADUC, etc). :-)Ace

I surely hope permissions were not altered in AD (ADSI Edite, ADUC, etc). :-)

Ace

It turns out that the problem is specific to my workstation.

It turns out that the problem is specific to my workstation.  I installed
admin pak on another computer today, and I did not have this problem.
Windows firewall on my computer is disabled, and on the DCs.

I guess the next step would be to remove my workstation from the domain, and
rejoin it.  Am I going to get a new profile on my workstation when I do
that?  I would hate to have to set this up all over again.  I guess I could
just copy the profile?

If it is a corrupted profile, copying it will not do the trick.

If it is a corrupted profile, copying it will not do the trick. Try
uninstalling, then reinstalling the adminpak. If that does not work, you will
have to start with a fresh profile.

Ace

Deleting and recreating my profile fixed the problem.

Deleting and recreating my profile fixed the problem.

Forgot to first save off my Bookmarks.  Thanks Microsoft!

Anyway... it is working.  Thanks for the help with all the other issues.

Glad to hear it is fixed, but I am sorry to hear you lost your bookmarks.

Glad to hear it is fixed, but I am sorry to hear you lost your bookmarks. I
should have suggested to copy your current profile to another location prior
to blowing it away. Sorry about that.

Ace