Group Policy Editing - "Access is denied"

  • Thread starter Thread starter Fawke101
  • Start date Start date
F

Fawke101

Hi there,

I am having a bad issue with applying Group Policy in our windows 2000 DC.

We have alot of policies currently setup. But now when we try to edit any
Group Policy (admin templates, then editing relevant policy - change to
enabled/disabled/not configured and click apply or OK) it comes up with
"access denied". The state of the policy "seems" to change in the console,
but everytime you click apply or ok it says access denied.

I have given the administrator, domain admins, all full control at the
relevant levels - but i cannot for the life of me get rid of this message!

Help!!

Thanks
 
Look in Event Viewer on the domain controller to see if any pertinent
messages are recorded and run the support tools netdiag, dcdiag, and gpotool
to make sure all is reported as well. Those tools will report any dns,
network connectivity, replication problems, etc. The user modifying the
Group Policy will also need at least read and write permissions to that
Group Policy. --- Steve
 
I have just created a new OU in ADU+C and created a new policy to it. This
worked fine - without the "access denied" message.
Not sure if that means the existing policies are corrupt? But the templates
seem fine.

Cheers

Fawke
 
If the permissions are fine for the problem Group Policy then there may be
some sort of corruption. I would be sure to run gpotool to see if anything
unusual is reported with version numbers or replication. If you have a copy
of the System State from a domain controller at a time before this all
started happening, you might try an authoritative restore of it. There is a
tool called recreatedefpol.exe that can be used to repair create new default
GPO for domain or domain controller as shown in the link below. For the
future you might want to consider using Group Policy Management Console
which will allow you to backup Group Policy settings. It can be used in a
Windows 2000 domain if you have an XP Pro domain computer that it could be
installed on. --- Steve

http://www.microsoft.com/downloads/...ae-b7dd-4bb5-ab2a-976d6873129d&DisplayLang=en
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
 
Check the security on the GPO that you get Access Denied on:

1. in GPMC, select the GPO
2. select the Delegation tab in the right pane
3. click the Advanced button
4. click the Advanced button (on the Security tab) - check if you are a
member of any of the groups that have Write
5. click Owner

GPOs live in the Group Policy Objects container, not in whatever OU they are
linked to; (from what I have observed) permissions are inherited from the
Group Policy Objects container, not any OU they happen to be linked to. If
the person creating the GPO is not a member of specific built-in groups
(e.g. Domain Admins), the creator's User Account becomes the Owner of the
GPO and thus can edit it. However, the Group to which GPO administration
has been delegated and that person is a member of, is not automatically
added to permissions list for that GPO. So, if

a: you are not a member of one of the Domain wide groups (e.g. Domain
Admins) that can automatically edit GPOs
and
b: did not create the GPO in question

you won't automatically have permission to edit the GPO.

In this situation (delegated permission to create, edit and link GPOs),
whoever creates a new GPO must grant the delegated to Group permission to
edit the GPO (e.g. Full Control).

We ran into this where I work. The domain is large (over 20,000 users and
computers). Each department has an OU and can administer that OU. In the
department I work in, we have staff that manages user accounts, Group
membership, share permissions on File Servers, workstation computers etc.
Those that look after the domain took the approach (rightly in my opinion)
that the ability to manage GPOs should be restricted to a smaller subset, so
created a particular group for each department and only added selected
people to those groups. The department specific GPO management Group is
specifically granted permission to create and link GPOs to the department's
OU (inherited downwards). When a member of the GPO management Group creates
a new GPO, the GPO management Group does NOT get added to that GPOs
permission's list. Part of the process of creating a GPO is to grant that
Group Full Control over the new GPO so that other members of the Group can
edit it in the future.

I'm not sure if I have explained this very well - please ask for
clarification as required.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
Back
Top