none
Permission issues with Sysvol when editing a GPO from a DC?

    Question

  • This is a weird one on a 2008R2 domain.  I login to the domain with a normal user account. I can elevate to launch gpmc.msc as a domain admin, but I get permission issues when trying to add a something to sysvol.  For these reasons, it is usually just easier to remote into a DC and run gpmc.msc as a domain admin.

    I have noticed that if I remote into a DC and launch gpmc.msc(while pointing gpmc to the local DC that I am also logged into) that I get permission denied when trying to copy scripts into the startup folder, etc.  The weird thing is if I point gpmc.msc to any other DC(does not have to be the PDC emulator) and do the exact same thing, it will allow me to copy the file in.  I have seen this on multiple DCs and have disabled AV, etc.  Anyone have any ideas on why gpmc.msc must be pointed to a different DC to give me the permissions to copy some files into the sysvol location of a GPO?  At first I thought I had some sysvol permission issues, but now it seems to be something else.

    Thanks,


    Dave





    • Edited by DaveBryan37 Monday, November 2, 2015 7:53 PM
    Monday, November 2, 2015 7:44 PM

All replies

  • Does your domain replicate well?
    Thursday, November 5, 2015 8:30 AM
  • Hi,
     
    Did you run the GPMC using "Run as administrator" (If UAC is enabled)?
     
    Also, have a check on the NTFS File permissions and Share Permissions of the directory and see if you have the correct permission.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, November 5, 2015 8:53 AM
    Moderator
  • Thanks for the suggestions.  Domain replication is good according to MS replication tool, and dcdiag looks normal as well.  I did try launching gpmc.msc as an administrator, but same issue.  I always have problems if I login to any DC and point to itself in gpmc.msc.  If I login to a DC and direct gpmc.msc to any other DC and do the same thing, then it lets me copy files into Computer Config->Policies->Windows Settings->Scripts->Startup.

    I am not sure how many people are still running 2008r2 DCs, but if anyone still has 2008r2 and can login and test on theirs and let me know I would really appreciate it.  Just remember to point the DC to itself in gpmc when testing, instead of the PDC emulator(default) or any other DC.  Obviously, I have a work-around that works, but just want to know if the problem is just a setting in my domain or in all domains.  I usually elevate to domain admin when launching gpmc.msc, but when it launches sysvol it will not give me permissions there and that is why I usually just login to DCs as a Domain admin when dealing with needing to copy files into sysvol.

    Thanks,


    Dave



    • Edited by DaveBryan37 Thursday, November 5, 2015 4:32 PM
    Thursday, November 5, 2015 4:26 PM
  • I am not sure how many people are still running 2008r2 DCs, but if anyone still has 2008r2 and can login and test on theirs and let me know I would really appreciate it.  Just remember to point the DC to itself in gpmc when testing, instead of the PDC emulator(default) or any other DC.  

    Well I have tested this in my local lab, both scenarios work well for me.
    Friday, November 13, 2015 9:54 AM
  • Thanks - That at least tells me that I do have an issue and it is not some designed security feature.  All of my 2008 R2 DCs have problems giving me access to Sysvol when I direct gpmc.msc to themselves, but work fine when I point gpmc.msc to another DC and access sysvol when editing a policy 

    Dave



    • Edited by DaveBryan37 Friday, November 13, 2015 4:14 PM
    Friday, November 13, 2015 3:56 PM
  • I was wonding how is it going now? Seems only happens on RDP mode?
    Monday, November 16, 2015 2:04 AM
  • Same problem on all DCs.  If they point to themselves in gpmc.msc then I cannot copy files into sysvol when browsing, but if I point gpmc to a different DC, then everything works fine when I go to copy files into sysvol.  I did check and does not make any difference if I am on console vs. RDP

    Dave


    • Edited by DaveBryan37 Thursday, November 19, 2015 4:37 PM
    Thursday, November 19, 2015 4:37 PM