Failed to open Group Policy Object
Wednesday, September 29, 2010
In the past 6 months, I’ve run into an error whereby I can not open the Group Policy Object on a local computer. The error is “Failed to open the Group Policy Object on this computer. You may not have appropriate rights.” In the details pain, it reads Unspecified error.
I know it’s not a permissions issue directly, as I am running as the built-in administrator on this machine. I believe the problem has to do with the machine not being shutdown properly. The first time I saw this happen was when I was building up a new PC from an image and had a hardware problem that caused the machine to reboot. Once deployed, these machines can be shutdown on a whim, leading me to believe this is the cause.
Off to Bing I went, and the first thing I found was a tool on the Microsoft Download Center for restoring the default group policy on Windows 2000. The page also mentioned that for Windows Server 2003, you should use the dcgpofix.exe tool. Well, I didn’t have that tool and I’m running Windows 7 anyway, so it was off to do some more searching.
After awhile I came across a forum post that said all you have to do is delete the contents of the GroupPolicy folder in C:WindowsSystem32. This is a system folder, so you need to enable the option to view those. On Windows 7 press alt to see the toolbar menu option, and then click toolsfolder options. Click on the view tab and then uncheck Hid protected operating system files.
Now navigate to C:windowssystem32 and locate the group policy folder. I made a copy of this folder and pasted it to another location just in case. Then I went into it and deleted the contents of the machine folder, as it was the only folder with something in it (Scripts folder and Registry.pol). I felt pretty good about doing this, because I checked my own PC and saw that there was nothing in that folder, since I’ve never made any changes to my local group policy.
After deleting the contents of the machine folder, I was once again able to gain access to the local group policy MMC snap in. However, while the setting I needed to change was shown as not configured, the policy was still in place. I had to select disabled, then click apply for the actual policy to be removed. I made my change and then replied the policy. I went back to the Group Policy folder because I wanted to see what had changed. There was just a Registry.pol, but it now had a single string value that contained what looked like a registry key.
Sure enough I went thru the registry and found the setting.
I’m not a group policy expert, and this may be common knowledge, but it looks like changes made to the group policy thru the MMC snap in are recorded in the Registry.pol file, and are actually applied to the registry. So now I know, and now I have another place I can go to if I have to disable this policy setting.