Problem started with a new DC in a new site not being able to access the Windows Update site giving the "Administrators Only" error. That was odd as we were logged in with the administrator username. We can access the Windows Update site on the DC in the original site with the same user name.
The exact problem is described in this Q article "Cannot Access Group Policy Objects--Event ID 1000 and Event ID 1001 Logged http://support.microsoft.com/?kbid=258296 " Unfortunately, the fix was already in place so was not relevant. Looking at the GUID of the GPO in the Event Log, I cannot see it in the SYSVOL folder - it's just not there. After some troubleshooting, found that on both DC's, I cannot open the Default Domain Controllers Policy object with an error of: "Failed to open the Group Policy Object. You may not have appropriate rights. Details The system cannot find the path specified." To attempt to rectify this, I renamed the Default Domain Controllers Policy object and then created a new Default Domain Controller Policy and disabled the renamed one. After using secedit /refreshpolicy for both machine and user, I forced replication and could see the new policy and the old, renamed disabled policy in the other DC in the new site. I logged out and back in as the administrator but unfortunately, this did not fix the problem - I could not access the Default Domain Controller Policy with the same error, and received the same issue with Windows Update. I tried deleting the renamed object, yet I could not. The system did not give any errors, but when I confirmed YES to delete it, it was still there. Any suggestions on how to proceed? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
