"Failed to Open the Group Policy Object" Error Message Occurs When You Try to Open a Policy As a Domain Administrator

When you log on using a Domain Administrator account, if you try to open a policy, the following message may be displayed: When you try to open the properties of this Group Policy object (GPO), you may receive the following error message:

This issue may occur if either of the following conditions exist:

• The Domain Administrators group has been denied access to the GPO.
• The primary domain controller (PDC) operations master (also known as flexible single master operations or FSMO) of your Windows 2000 domain is down.

To resolve this issue, use the method for your cause.

The Domain Administrators Group Has Been Denied Access to the GPO

Use an account that has the appropriate permissions to restore the permissions to the GPO. If no other accounts have permissions to restore the permissions to the GPO, reset the permissions for the account or group that has been denied access to the GPO.

You can use the DSACLS tool that is included in the Support Tools for Windows 2000 and Windows Server 2003, to remove the Deny Access permissions from the Domain Administrators group. You must know the distinguished name (also known as DN) of the GPO to use this tool. Use the ADSIEdit.msc tool that is included in the Support Tools for Windows 2000 and Windows Server 2003, to determine the distinguished name of the GPO in Active Directory.

To reset permissions:

1. Start ADSIEdit.msc on the PDC emulator.
   
   NOTE: To determine the PDC emulator operations masters role owner, right-click the domain name in the Active Directory Users and Computers snap-in, click Operations Masters, and then click the PDC tab.
2. Under ADSIEdit, click Domain NC, and then locate the following container:
   Domain_Name container\CN=System\CN=Policies container
   The right pane lists the global universal identification numbers (GUIDs) for all the GPOs in the domain.
3. Locate the policy that has been restricted, and then note the distinguished name of this object, for example:
   cn={f5e14b83-0181-437e-878c-8d16cb945d68},cn=policies,cn=system,dc=jlc,dc=com
   NOTE: The restricted policy is displayed with a notepad icon; the other policies are displayed with folder icons.
4. Use DSACLS to remove the Deny Access permissions that have been assigned to Domain Administrators group. Use the following syntax:
   dsacls distinguished_name /R "domain_name\domain admins"
   For example:
   dsacls cn={f5e14b83-0181-437e-878c-8d16cb945d68},cn=policies,cn=system,dc=jlc,dc=com /R "JLC\Domain Admins"
5. Use DSACLS with the /g switch to grant access to the Domain Administrators group. Use the following syntax:
   dsacls distinguished_name /G "domain_name\domain admins":GA
6. On the PDC emulator, start Microsoft Windows Explorer, and then browse to the Winnt\Sysvol\Sysvol\Domain_name\Policies folder. The GUID for the restricted GPO is listed in this folder.
7. Right-click the GUID for the GPO, click Properties, click the Security tab, and then give the Domain Administrators group Full Control permissions.
8. Check the subfolders under this GPO object to confirm that domain administrators also have rights to these folders.

After you complete this procedure, if you log on using a Domain Administrator account, you can open and edit this GPO.

The PDC Operations Master of Your Windows 2000 Domain Is Down

Resolve the issue that has made the PDC operations master of your Windows 2000 domain unavailable.