Group Policy Issues

Hi

We have a 3 forest single-site AD setup, all Windows 2003 Server.
2 of them are Windows 2003 Server SP1, one is not.

Up until recently, I've been able to modify any GP Object on any forest
without trouble. Today however I am able to view the GPOs, they apply on
computers but I cannot modify them. I'm a Domain Admin/Enterprise Admin and
am a member of Group Policy Creator Owners group also. The 'Default Domain
Controller Policy' is fine, I can edit that one, but any others I cannot
unless I recreate them.

When I try to edit, I can open them in GPMC, open them in the editor but
when I try to change a setting it says "Group Policy snap-in was unable to
save changes - Access Denied".

I have never seen this error before, I have checked the GPO ACLs (both on
the GPO itself and the file permissions in SYSVOL). They are indentical and I
have full permissions on the GP Objects.

Even if I login as Administrator (domain admin) on a PDC, I cannot edit the
GPOs as it gives me exactly the same error message. Even using our
'emergency' admin account (which has all permissions explicitly set), cannot
edit the policies.

They apply as normal (using GPRESULT/RSoP) however, just not modified by any
Admin user (whether that's an admin in our ITTeam security group or Domain
Admins).

If anyone has ANY ideas, no matter how far-fetched it may be, I'll be happy
to listen and try things - I'd much rather fix this up (and hopefully know
what caused it) than rebuild the entire raft of group policies that exist on
the site.

(On a seperate note, I assume that assigning rights using Delegation of
Control Wizard for our IT group, giving them full control on each DC with
GPOs is the correct way to give them the ability to edit GP objects
cross-forest?)
.

Relevant Pages

  • RE: Group Policy Issues
    ... It does sound more and more like I'm going to have to blanket-wipe all GPOs ... > for the Default Domain Policy and the Default Domain Controllers Policy. ... >> Controller Policy' is fine, I can edit that one, but any others I cannot ... >> Even if I login as Administrator on a PDC, ...
    (microsoft.public.windows.server.active_directory)
  • RE: Group Policy Issues
    ... the default policies were corrupt. ... Today however I am able to view the GPOs, ... > Controller Policy' is fine, I can edit that one, but any others I cannot ... > Even if I login as Administrator on a PDC, ...
    (microsoft.public.windows.server.active_directory)
  • Re: New Group Policy Using Windows 2000 Snap-in
    ... When I created an edited from an upgraded> domain controller, at one point I received this error message when opening> Group Policy Management: The Enterprise Domain Controllers group must have> read access on all GPOs in the domain in order for Group Policy Modeling to> function properly. ... > tried to create and edit a GPO on this same domain controller I received the> same error message as in my original post. ... On the PDC and a DC that was a fresh install I was able to create and edit a GPO ...
    (microsoft.public.win2000.active_directory)
  • Re: Merging user access
    ... if you have some computers where you must be a local ... must be an admin. ... You will have to apply separate GPOs for subset A and B, ... getting member of admin group. ...
    (microsoft.public.windows.group_policy)
  • Re: Group Policy and Domain Type Problem
    ... We're having a problem on our Active Directory, we can not edit GPOs ... Default Domain Controllers Policy as well. ...
    (microsoft.public.windows.server.active_directory)