GPO Changes Can Be Written to Different Domain Controllers If the User Is Not a Local Administrator

• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Professional
• Microsoft Windows 2000 Server

SYMPTOMS

If a user creates a new Group Policy Object (GPO) and then immediately tries to open the GPO to edit it, the follow error message may occur:

The system cannot find the path specified.

CAUSE

This behavior can occur if the user making the changes to the GPO (to which the user has been delegated change permissions) is not a domain or enterprise administrator and is also not a member of the local Administrators group.

When you use the Group Policy snap-in, the data written to the SYSVOL portion of the GPO may not be written to the same domain controller as the data written to the Active Directory portion of the GPO.

RESOLUTION

Clients behave properly regarding this inconsistency; Active Directory and the File Replication service (FRS) take care of synchronizing the two components. However, if the user who is modifying the GPO specifies the domain controller on which to make the GPO changes, the SYSVOL data may not be present because of the reason described above. In the case of a new GPO, the user must wait for the SYSVOL data to be replicated to the domain controller that is targeted in the Group Policy snap-in before the user can edit the GPO.

STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article.

Additional query words:

Keywords : kbenv kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbprb