Access Denied when editing GPO

  • Thread starter Thread starter trdonavan@localhost
  • Start date Start date
T

trdonavan@localhost

I am getting the message "Access is denied. Failed to save \\<domain
name>\Sysvol\<domain
name>\policies\<guid>\Machine\Microsoft\Windows\Windows
NT\SecEdit\GptTmpl.inf. Make sure that you have the right permissions
to this object."

This is a GPO that I plan to use for all workstations for the domain
but it is not linked to anything but a test OU with a single test
machine in it at the moment.

I was editing this on the single Domain Controller for the domain. I
am a member of Domain Admins. I also logged in and attempted an edit
with the original Administrator's account with no luck.

In the GPMC, when I select the GPO and select the Delegate Tab on the
right side of the screen, the Domain Admins was set to "Custom" which I
did not understand. I right-clicked and selected "Edit Settings,
Delete, Modify Security" for Domain Admins but the problem persisted.

When I navigate to c:\windows\sysvol\sysvol\<domain name>\policies\ and
view the properties on the various folders with guids as names I notice
that rather than Domain Admins as owner, the owner is the netbios
domain name followed by "Administrators". I believe this is the local
Administrators account after the computer is promoted to DC. Domain
Admins also has full control over all of the guid folders.

I have done a thorough search of all messages in this group mentioning
"Access Denied" and none seem to apply here.

Any suggestions would be greatly appreciated.
 
Hi Troy,

Try to use GPMC and go to the GPO, see if it lets you fix your problem.

br,
Denis
 
I checked the "Owner" on some of the GPO folders on my DC (a small one I
have at home that has essentially the default security setup). The top
folder (the one with the GUID as its name) has "Domain Admins
(DomainName\Domain Admins)" as the Owner, but the folders below that (e.g.
Adm, Machine, User) have "Administrators (DomainName\Administrators)" as the
Owner.

On a Domain Controller, there aren't any "Local User Accounts", only "Domain
User Accounts" (Administrators is a group, but the same principle applies).

Check the membership of the Administrators group; you should see this group
in the "Builtin" folder in Active Directory Users and Computers. By
default, Administrator, Domain Admins and Enterprise Admins are members of
the Administrators group in a Domain. Whatever account you are using GPMC
under will need to be a member (directly or through group nesting) of the
Administrators group.
 
Thanks for the reply, Bruce.

Domain Admins is a member of the Administrators group and so is my
account. I'm not sure what else could be wrong.

TIA
 
Back
Top