RE: Group Policy Issues
- From: Arkane <Arkane@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 Aug 2005 12:46:03 -0700
I checked the event viewer on the DCs and didn't see anything odd, however
I'll check again with this new info.
It does sound more and more like I'm going to have to blanket-wipe all GPOs
on the affected domain (after backing them up) and manually recreate them,
but I'll do that AFTER I check SMB signing (which I think is at the default
setting).
If anyone has any other ideas - please, let me know before I wipe my GPOs
when I didn't need to! :)
"JSilva" wrote:
> Iv'e seen something similar to this before. Actually I've seen this twice.
>
> In the first instance, the default policies were corrupt.
> I had to recreate them using recreatedefol.exe for Windows 2000 DC's or
> dcgpofix.exe for Windows 2003.
>
> The downfall is that it is going to destroy any policies you had in place
> for the Default Domain Policy and the Default Domain Controllers Policy.
>
>
> The second instance where i have seen this is outlined in the following
> article
> http://support.microsoft.com/default.aspx?scid=kb;en-us;839499
>
> You may also want to make sure that FRS is working correctly.
>
> Hope this helps.
>
> Jason Silva
>
>
>
> "Arkane" wrote:
>
> > Hi
> >
> > We have a 3 forest single-site AD setup, all Windows 2003 Server.
> > 2 of them are Windows 2003 Server SP1, one is not.
> >
> > Up until recently, I've been able to modify any GP Object on any forest
> > without trouble. Today however I am able to view the GPOs, they apply on
> > computers but I cannot modify them. I'm a Domain Admin/Enterprise Admin and
> > am a member of Group Policy Creator Owners group also. The 'Default Domain
> > Controller Policy' is fine, I can edit that one, but any others I cannot
> > unless I recreate them.
> >
> > When I try to edit, I can open them in GPMC, open them in the editor but
> > when I try to change a setting it says "Group Policy snap-in was unable to
> > save changes - Access Denied".
> >
> > I have never seen this error before, I have checked the GPO ACLs (both on
> > the GPO itself and the file permissions in SYSVOL). They are indentical and I
> > have full permissions on the GP Objects.
> >
> > Even if I login as Administrator (domain admin) on a PDC, I cannot edit the
> > GPOs as it gives me exactly the same error message. Even using our
> > 'emergency' admin account (which has all permissions explicitly set), cannot
> > edit the policies.
> >
> > They apply as normal (using GPRESULT/RSoP) however, just not modified by any
> > Admin user (whether that's an admin in our ITTeam security group or Domain
> > Admins).
> >
> > If anyone has ANY ideas, no matter how far-fetched it may be, I'll be happy
> > to listen and try things - I'd much rather fix this up (and hopefully know
> > what caused it) than rebuild the entire raft of group policies that exist on
> > the site.
> >
> > (On a seperate note, I assume that assigning rights using Delegation of
> > Control Wizard for our IT group, giving them full control on each DC with
> > GPOs is the correct way to give them the ability to edit GP objects
> > cross-forest?)
.
- Follow-Ups:
- RE: Group Policy Issues
- From: Arkane
- RE: Group Policy Issues
- References:
- Group Policy Issues
- From: Arkane
- RE: Group Policy Issues
- From: JSilva
- Group Policy Issues
- Prev by Date: Re: Authentication accross child domains
- Next by Date: security problems with AD and SQL Server 2000
- Previous by thread: RE: Group Policy Issues
- Next by thread: RE: Group Policy Issues
- Index(es):
Relevant Pages
|
Loading
