RE: Group Policy Issues
- From: JSilva <JSilva@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 Aug 2005 12:29:01 -0700
Iv'e seen something similar to this before. Actually I've seen this twice.
In the first instance, the default policies were corrupt.
I had to recreate them using recreatedefol.exe for Windows 2000 DC's or
dcgpofix.exe for Windows 2003.
The downfall is that it is going to destroy any policies you had in place
for the Default Domain Policy and the Default Domain Controllers Policy.
The second instance where i have seen this is outlined in the following
article
http://support.microsoft.com/default.aspx?scid=kb;en-us;839499
You may also want to make sure that FRS is working correctly.
Hope this helps.
Jason Silva
"Arkane" wrote:
> Hi
>
> We have a 3 forest single-site AD setup, all Windows 2003 Server.
> 2 of them are Windows 2003 Server SP1, one is not.
>
> Up until recently, I've been able to modify any GP Object on any forest
> without trouble. Today however I am able to view the GPOs, they apply on
> computers but I cannot modify them. I'm a Domain Admin/Enterprise Admin and
> am a member of Group Policy Creator Owners group also. The 'Default Domain
> Controller Policy' is fine, I can edit that one, but any others I cannot
> unless I recreate them.
>
> When I try to edit, I can open them in GPMC, open them in the editor but
> when I try to change a setting it says "Group Policy snap-in was unable to
> save changes - Access Denied".
>
> I have never seen this error before, I have checked the GPO ACLs (both on
> the GPO itself and the file permissions in SYSVOL). They are indentical and I
> have full permissions on the GP Objects.
>
> Even if I login as Administrator (domain admin) on a PDC, I cannot edit the
> GPOs as it gives me exactly the same error message. Even using our
> 'emergency' admin account (which has all permissions explicitly set), cannot
> edit the policies.
>
> They apply as normal (using GPRESULT/RSoP) however, just not modified by any
> Admin user (whether that's an admin in our ITTeam security group or Domain
> Admins).
>
> If anyone has ANY ideas, no matter how far-fetched it may be, I'll be happy
> to listen and try things - I'd much rather fix this up (and hopefully know
> what caused it) than rebuild the entire raft of group policies that exist on
> the site.
>
> (On a seperate note, I assume that assigning rights using Delegation of
> Control Wizard for our IT group, giving them full control on each DC with
> GPOs is the correct way to give them the ability to edit GP objects
> cross-forest?)
.
- Follow-Ups:
- RE: Group Policy Issues
- From: Arkane
- RE: Group Policy Issues
- References:
- Group Policy Issues
- From: Arkane
- Group Policy Issues
- Prev by Date: RE: Authentication in a multi-domain forest
- Next by Date: Re: SBS email accounts
- Previous by thread: Group Policy Issues
- Next by thread: RE: Group Policy Issues
- Index(es):
Relevant Pages
|
