Can't edit Default Domain Controllers Policy on Windows 8 and Server 2012

During our migration process from Windows Server 2008 R2 to Windows Server 2012 for all of our DC's, I've noticed a problem with the Default Domain Controller Policy.  I can edit this policy from any domain-joined computer running Windows 7 or Windows Server 2008 R2 (and probably earlier versions).  However, I can't edit it via Windows 8 or Windows Server 2012.


Here's the error message I receive:

Failed to open the Group Policy Object.  You might not have the appropriate rights.

Details: The volume for a file has been externally altered so that the opened file is no longer valid.

  • This AD domain has been gradually upgraded since its original introduction Windows 2000 Server.
  • I'm a Domain Admin and Enterprise Admin.
  • I've triple-checked the ACL for this GPO, even going through every property of each entry, and it is exactly as it should be.
  • I've verified that all the standard files and folders for the GPO are in the correct location.
  • DFS-R is being used for sysvol replication.
  • The policy applies correctly, even to Windows Server 2012 domain controllers.
  • As mentioned, I can edit the policy without a problem from earlier versions of Windows.
  • This problem does not apply to the Default Domain Policy.  Both of these default policies have the proper UUID.
  • This problem occurs regardless of which DC I'm connected to via the GPO editor.
  • dcdiag /c passes all tests.


I'm stumped!  Any suggestions?

  • Edited by Greg-UCO Sunday, May 19, 2013 12:49 PM Spacing
May 19th, 2013 12:48pm

Hi,

Can you edit it with GPMC on your Windows 2012 DC? How about adding another Windows 2012 DC and then check the result.

In addition, hope the below thread could be helpful, please try those 3 methods in the thread:

http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/0x800703ee-the-volume-for-a-file-has-been/426968a5-121c-44ac-9ba8-767ab459adb4?msgId=ce735760-085a-42f7-93e1-ffce1435ff29

Regards,

Yan Li

Free Windows Admin Tool Kit Click here and download it now
May 22nd, 2013 6:40am

Hi,

Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

 

If you have any feedback on our support, please click here .

 

May 24th, 2013 2:54am

Well, I had a reply all typed out for this, but unmarking the answer before submitting screwed the site up (in IE nonetheless!).  Anyway, here's the short version of what I already tried to submit.  Basically, I've been busy with other higher-priority items and just hadn't had a chance to get back to this, but the situation remains unresolved.  I cannot edit the GPO within GPMC on any of the 3 DC's.  All of our DC's are now running 2012 and our domain and forest are now at the 2012 functional level.  I can't do random unrelated risky operations on a production DC like sfc /scannow when there's clearly no filesystem corruption on 3 freshly built DC's and this problem only applies to one GPO of hundreds and only to Windows 8/2012.  To work around this odd issue, I'll create another GPO, migrate all my DC settings to it, remove them from the current one, unlink the current one, and safely ignore it and never use it again.  Maybe Microsoft will fix the underlying issue (that obviously only affects certain customers with specific configurations) and it will become editable from Windows 8/2012 at some point, but I'm not worried about it and it's not worth paying for a support call when there's an easy workaround.  I was just hoping that someone else had run across this issue and had found a solution.  Thanks.
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2013 11:36pm

Here's another unresolved case:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/2d968a05-2cff-4dd0-9c5d-dd810d1fa66f/cant-edit-default-domain-controllers-policy-on-windows-8-or-server-2012

July 12th, 2013 3:44pm

Try this:

Got to each domain controller and open the GPMC.  Select each policy one at a time and see if a permissions mismatch warning comes up.  If you get this click OK to correct the issue.  I worked with Microsoft on this issue and that was the solution for my similar situation.

Free Windows Admin Tool Kit Click here and download it now
July 29th, 2013 6:00pm

Technically, I had already done this step when trying to edit this policy via GPMC on each domain controller, but I went ahead and did it again to verify.  I did not receive any permissions mismatch popups.  I still can't edit this GPO from any Windows Server 2012 server or Windows 8 PC, but I can continue to view its settings via GPMC on any server or PC and edit the GPO via Windows 7 or Server 2008 R2 or earlier.
July 31st, 2013 12:13am

I just accidentally resolved this issue today.  I added the GPMC to a 2008 R2 server so I could make a needed firewall change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile).  About an hour later, I forgot I was using my Windows 8 machine and I went to edit the Default Domain Controllers GPO and opened for edit without a problem.  I can now edit it from Windows 8 and from Windows Server 2012.  Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by editing the GPO once from a 2008 R2 machine.  Hope this helps someone else!
  • Marked as answer by Greg-UCO Tuesday, August 20, 2013 11:54 PM
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2013 11:52pm

I have this same issue.

Error message when I try to edit the Default Domain Controllers Policy from Group Policy Management on a 2012R2 OS.

Cannot edit "Default Domain Controllers Policy" from 2012R2 Group Policy Management; but

Can edit "Default Domain Controllers Policy" from 2008R2 Group Policy Management.

Has this been resolved by anyone?

Thank you,

September 12th, 2015 2:39pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics