Re: HELP with GPO security

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

How about resetting the rights on the gpo.


http://support.microsoft.com/?kbid=226243



--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"Max A. Samohin" <anubis@xxxxxxxxxxx> wrote in message
news:uiRv1Y33FHA.3600@xxxxxxxxxxxxxxxxxxxxxxx
I can't open Active Directory as domain admin to make any changes on =
OUs. I can open only Configuration and Schema in ADSI Edit. Also I can =
open Domain there, but under common user profile and therefore there is =
no way to change permissions, I can read attributes only.
I think the only way is to replace permissions in the registry, but I'm =
not sure what key is responsible for it.

Thanks,
Max A. Samohin


--
Max A. Samohin
Asst. System Manager
+996 (312) 551241 ext. 4419
U.S. Embassy Bishkek
Kyrgyz Republic

"Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23xsxBYu3FHA.1188@xxxxxxxxxxxxxxxxxxxxxxx
I'm not positive this will work but give the following a try, it works for
files and folders.

Right click on the ou and select properties, select the security tab,
select
the "Advanced" button, select the Owner tab. If you don't see the Domain
Admin here add him and then make him the owner. Then go back and try to
remove the deny permissions.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no
rights.


"Max A. Samohin" <anubis@xxxxxxxxxxx> wrote in message
news:OXn0F7q3FHA.3900@xxxxxxxxxxxxxxxxxxxxxxx
Here is a problem. Accidentally we have denied access for domain admins to
read Domain policies. As a result, we can't open AD at all. I've attached
a
screenshots, made form ADSIEDIT utility, it's opening under user account
only and I can't edit there anything, just read, also I can't open it
under
admin account accordingly. How I can change permissions back? Is there any
way to do that via system registry or any other way? Or may be delegate
rights via script to common user to modify accounts and then change
permissions under ADSIEDIT utility. Is that possible?


Thanks in advance,

--
Max A. Samohin




.

Relevant Pages

  • Re: Domian Local into Domain Admins Group
    ... As the 'Domain Admin' group is a GG, it can only contain members from the ... And you are correct that you cannot add a Local Group to a Global Group, ... you then provide permissions to the Domain Local Group. ... permissions or rights you give the Domain Local Group (or that has them by ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access denied
    ... I (Domain Admin) try to create a new folder I get access denied. ... When I change the rights of a network folder that apply to specific users ... security permissions so they are identical. ...
    (microsoft.public.windows.file_system)
  • Re: The system cannot find the file specified
    ... Out network admin made me a domain admin to test and it ... Possibly not a rights issue? ... full permissions on the ...
    (microsoft.public.win2000.active_directory)
  • Re: Folder Permissions - delete
    ... For one thing "modify" permissions will allow a user to delete a file. ... want to look at using the fileacl utility to change permissions [which can also do ... > rights to do anything but delete, and domain users have full rights to ...
    (microsoft.public.win2000.security)
  • Re: NTFS folder permissions - Creator Owner issue (I think)
    ... From what you're telling me an owner has rights that cannot be ... which seems to include the right to change permissions whether we want ...
    (microsoft.public.security)