Hi All, I have a problem with my domain, the domain administrator missing privileges to edit/create GPO. What Happens? One guy here on Enterprise, tried to create a New DC, this installation was wrong, he added a new domain(child domain) and then exclude it. So, now i have some problems with rights administration. I try many procedures for try to remove this domain child and didn't works! Can you help me, please? Any solution? Best Regards, Danilo.

Hey Danfernandes, try dcdiag to get additional information about what is going on with your domain.

hi kofiernest, look: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\DCPrimary Starting test: Connectivity ......................... DCPrimary passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\DCPrimary Starting test: Replications ......................... DCPrimary passed test Replications Starting test: NCSecDesc ......................... DCPrimary passed test NCSecDesc Starting test: NetLogons ......................... DCPrimary passed test NetLogons Starting test: Advertising ......................... DCPrimary passed test Advertising Starting test: KnowsOfRoleHolders ......................... DCPrimary passed test KnowsOfRoleHolders Starting test: RidManager ......................... DCPrimary passed test RidManager Starting test: MachineAccount ......................... DCPrimary passed test MachineAccount Starting test: Services ......................... DCPrimary passed test Services Starting test: ObjectsReplicated ......................... DCPrimary passed test ObjectsReplicated Starting test: frssysvol ......................... DCPrimary passed test frssysvol Starting test: frsevent ......................... DCPrimary passed test frsevent Starting test: kccevent ......................... DCPrimary passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:39:57 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:39:58 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:39:58 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:39:59 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:39:59 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:40:01 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:40:02 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:40:03 (Event String could not be retrieved) An Error Event occured. EventID: 0x00000457 Time Generated: 07/20/2012 11:40:03 (Event String could not be retrieved) ......................... DCPrimary failed test systemlog Starting test: VerifyReferences ......................... DCPrimary passed test VerifyReferences Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : domain Starting test: CrossRefValidation ......................... domain passed test CrossRefValidation Starting test: CheckSDRefDom ......................... domain passed test CheckSDRefDom Running enterprise tests on : domain.com.br Starting test: Intersite ......................... domain.com.br passed test Intersite Starting test: FsmoCheck ......................... domain.com.br passed test FsmoCheck

Your DC is in a healthy state. Please check security permissions on your GPOs and grant yourself the needed rights. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

You dcdiag log look good as stated before. Did you use any switches with the command? Can you check the security settings on the GPO object you are trying to edit? What else can't you do using the default administrator account? Can you create a new account? If so, create a new account, add it to the administrators and domain administrator groups, and see if you are able to do the things you could not do before.

Hi Mr X, All DCs are working normaly. I can't edit GPOs, I receive a message that my domain administrator haven't permissions. I think that permissions are missing when the guy remove that Secondary DC with wrong instalation. regards,

Hi, so, i can't edit GPO with administrator or another user. I receved a message that I don't have rights. Other think, when I try access Sysvol share, \\domain.com.br, the same think, i receive a message that I don't have rights. regards, Danilo.

Hey how is your event viewer are there any logs that might help? Take a look at this http://support.microsoft.com/kb/281146

I'm receiving envet ID 1030 and 1058. I looking for these event on internet, I did try all procedures that I found to solve this issue, but no success!

Hi, so, i can't edit GPO with administrator or another user. I receved a message that I don't have rights. Other think, when I try access Sysvol share, \\domain.com.br, the same think, i receive a message that I don't have rights. regards, Danilo. Hello Danilo, Try to access SYSVOL share using \\server name\sysvol instead of \\domain.com\sysvol\ and check for difference. If you can access \\server name\sysvol we can suspect that there might some network issue. For event ID1058 please refer:http://technet.microsoft.com/en-us/library/cc727259(v=WS.10).aspx & http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/460325fb-c19c-4593-9de0-de55067a408c/For event ID 1030 please refer:http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=1030&EvtSrc=Userenv&LCID=1033 Regards, Ravikumar P