Re: Access Denied when editing GPO

---

• From: "Bruce Sanderson" <bsanders@xxxxxxxxx>
• Date: Wed, 22 Jun 2005 22:04:33 -0700

---

I checked the "Owner" on some of the GPO folders on my DC (a small one I
have at home that has essentially the default security setup). The top
folder (the one with the GUID as its name) has "Domain Admins
(DomainName\Domain Admins)" as the Owner, but the folders below that (e.g.
Adm, Machine, User) have "Administrators (DomainName\Administrators)" as the
Owner.

On a Domain Controller, there aren't any "Local User Accounts", only "Domain
User Accounts" (Administrators is a group, but the same principle applies).

Check the membership of the Administrators group; you should see this group
in the "Builtin" folder in Active Directory Users and Computers. By
default, Administrator, Domain Admins and Enterprise Admins are members of
the Administrators group in a Domain. Whatever account you are using GPMC
under will need to be a member (directly or through group nesting) of the
Administrators group.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"trdonavan@localhost" <trdonavan@xxxxxxxxx> wrote in message
news:1119498592.378279.311460@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>I am getting the message "Access is denied. Failed to save \\<domain
> name>\Sysvol\<domain
> name>\policies\<guid>\Machine\Microsoft\Windows\Windows
> NT\SecEdit\GptTmpl.inf. Make sure that you have the right permissions
> to this object."
>
> This is a GPO that I plan to use for all workstations for the domain
> but it is not linked to anything but a test OU with a single test
> machine in it at the moment.
>
> I was editing this on the single Domain Controller for the domain. I
> am a member of Domain Admins. I also logged in and attempted an edit
> with the original Administrator's account with no luck.
>
> In the GPMC, when I select the GPO and select the Delegate Tab on the
> right side of the screen, the Domain Admins was set to "Custom" which I
> did not understand. I right-clicked and selected "Edit Settings,
> Delete, Modify Security" for Domain Admins but the problem persisted.
>
> When I navigate to c:\windows\sysvol\sysvol\<domain name>\policies\ and
> view the properties on the various folders with guids as names I notice
> that rather than Domain Admins as owner, the owner is the netbios
> domain name followed by "Administrators". I believe this is the local
> Administrators account after the computer is promoted to DC. Domain
> Admins also has full control over all of the guid folders.
>
> I have done a thorough search of all messages in this group mentioning
> "Access Denied" and none seem to apply here.
>
> Any suggestions would be greatly appreciated.
>
> --
> Troy
>


.

---

• Follow-Ups:
  • Re: Access Denied when editing GPO
    • From: trdonavan@localhost

• References:
  • Access Denied when editing GPO
    • From: trdonavan@localhost

• Prev by Date: Access Denied when editing GPO
• Next by Date: Re: Firewall off only while logged onto domain
• Previous by thread: Access Denied when editing GPO
• Next by thread: Re: Access Denied when editing GPO
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Dont Administrators have access to everything? ... returning the folders to the Shared Documents folder, ... NO owner and no one has access to the files (not ... account had been granted Full Control, ... Owner's and Administrators' permissions. ... (microsoft.public.windowsxp.security_admin) Re: Dont Administrators have access to everything? ... returning the folders to the Shared Documents folder, ... NO owner and no one has access to the files (not ... account had been granted Full Control, ... Owner's and Administrators' permissions. ... (microsoft.public.windowsxp.security_admin) Re: Folders security, permissions ... On two different folders, in the D: ... Owner is set to Administrators ... permissions and just have everything accessible to ... (microsoft.public.windowsxp.security_admin) Re: roaming profile on XP workstation ... When you talk about folders, you are talking about the profile folders on ... > I would make sure that the administrators group is the owner of the folder ... It the administrator already is the owner, ... (microsoft.public.win2000.networking) Re: Multiple Domain Administrators with different Roles ... This is called "delegation of authority" - you can achieve what you want to achieve, but you need to seperate the concept of "administering something" from the built in objects with the word "administrator" or "admin" in their names (e.g. the local group called Administrators). ... So, if you want someone to ONLY be able to "administer" folders and files, then make sure that any user account they have is NOT a member of the local Administrators group and they don't know the password for any such user account. ... By default, when a computer is joined to the domain, the Domain Admins group is added to the local Administrators group, but there is nothing stopping you from removing Domain Admins from the local Administrators group. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Win2000  > microsoft.public.win2000.group_policy  > 2005-06