+ Post New Thread
Results 1 to 6 of 6
Windows Server 2008 R2 Thread, Group policy Inaccessible in Technical; I have taken over administration of a Windows 2008 R2 domain and something I have noticed is that in group ...
  1. #1

    Join Date
    Apr 2007
    Location
    London
    Posts
    235
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    16

    Group policy Inaccessible

    I have taken over administration of a Windows 2008 R2 domain and something I have noticed is that in group policies there are 3 policies that say Inaccessible and have a no entry sign over the icons for them. It says This GPO is inaccessible because you do not have read-level permission on it.

    However I am logged onto the domain controller as the domain Admin and still getting that error. I have tried logging onto the server as every other user that has access to log onto the server but still getting that same message. Also tried accessing it from a user computer logged on as a admin.

    Is there any way I can see which user would have access to these GPO's? Or is there a way I can take ownership of them?

  2. #2

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,573
    Thank Post
    869
    Thanked 1,293 Times in 786 Posts
    Blog Entries
    1
    Rep Power
    436
    I have had to fix permissions before on a GP which caused the problem you have but it was ages ago.
    To find the odd permissions (if I recall) try out AccessEnum on the policies directory {DRIVE}\Sysvol\{Domain}\Policies\, and post your findings here ideally before changing anything

  3. #3

    Join Date
    Apr 2007
    Location
    London
    Posts
    235
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    16
    Thanks ZH,

    I tried that and got 4 Access is denied errors when I scanned. The rest showed the group policies I can see and who was allowed Read, Write and Deny access.

    When I right click and try go to properties or explore it says windows cannot find C:\windows\sysvol\etc.. etc..
    Last edited by phreak; 8th August 2012 at 04:24 PM.

  4. #4

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,573
    Thank Post
    869
    Thanked 1,293 Times in 786 Posts
    Blog Entries
    1
    Rep Power
    436
    Quote Originally Posted by phreak View Post
    Thanks ZH,

    I tried that and got 4 Access is denied errors when I scanned. The rest showed the group policies I can see and who was allowed Read, Write and Deny access
    Are they GUID based folder names?
    Are the other policy folders inheriting their permissions?
    If so you could reset the policies folders permissions to match (inherit) but dont blame me if the server blows up, I just think thats what I did before but it was ages ago
    If you get rights I would modify the now working policies with a change just to force propagation.
    Last edited by ZeroHour; 8th August 2012 at 04:26 PM.

  5. #5

    Join Date
    Apr 2007
    Location
    London
    Posts
    235
    Thank Post
    6
    Thanked 2 Times in 2 Posts
    Rep Power
    16
    Yes, they are GUID.
    Non of the others are inheriting the permissions. But what I tried was to force access to my account onto it, when I try change the security however I get Access denied. Although for one of the rules it did actually push the setting through and I can see it in GPMC now.
    I also tried giving myself permissions through ADSIedit however that didn't seem to make any difference.

    Unfortunately the 1 that seems to be stubbornly not accepting changes is the one I need to get to.

  6. #6

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,714
    Thank Post
    269
    Thanked 1,116 Times in 1,012 Posts
    Rep Power
    345
    I think you will need to change the ownership of the folders and then set the permissions.

SHARE:
+ Post New Thread

Similar Threads

  1. .Net Trust Level by Group Policy
    By daverage in forum Wireless Networks
    Replies: 0
    Last Post: 31st January 2006, 11:10 AM
  2. Trusted Sites via Group Policies?
    By mullet_man in forum Wireless Networks
    Replies: 5
    Last Post: 12th January 2006, 02:42 PM
  3. Sort By Name Group Policy
    By mattpant in forum Wireless Networks
    Replies: 6
    Last Post: 16th November 2005, 02:59 PM
  4. Blocking Batch Files using Group Policy in Server 2003
    By markwilliamson2001 in forum Windows
    Replies: 13
    Last Post: 4th October 2005, 05:28 PM
  5. Group Policy Settings Examples
    By mattpant in forum Wireless Networks
    Replies: 20
    Last Post: 17th September 2005, 11:12 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •