none
Domain Admin "Access Denied" when attempting to create new Group Policy

    Question

  • I've recently inherited a domain that was created by an employee no longer with the company. (2008R2, forest and domain functional level.)  All sysvol replication appears to be working fine, I'm not seeing any errors.

    When I attempted to create a new group policy, I'm a member of Domain and Enterprise Admins groups, I got an Access Denied message.  Some digging found that the NTFS permissions for mydomain\Administrators on C:\Windows\SYSVOL\sysvol\mydomain.com\Policies was Read&Execute, and List Folder.  On other domains I've checked the Administrators group has full control based on a combination of file and folder permissions.  So these are my questions:

    Is there any harm in manually changing the NTFS permissions to reflect what appears to be the default on the other domains I have checked?

    Do NTFS permissions replicate with the Sysvol folder so all I would have to do is change the permissions on the PDC and the rest of the DCs will pick it up or do I have to manually change them on all the DCs?

    If the answer to the above question is "No", once the permissions are changed on the PDC will any new DCs that are stood up have the correct permissions on the Sysvol folder?

    Thanks,

    Tom

    Tuesday, June 9, 2015 5:06 PM

Answers

All replies

  • Check that AGPM (Advanced Group Policy Management) is not in use within your organisation - https://technet.microsoft.com/en-us/library/dd420466.aspx

    Steven Hodson | http://www.stevenhodson.com | @_hodders



    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, June 9, 2015 5:27 PM
  • It isn't currently in use but no one who works in IT now was here when the domain was setup so it could have been used then.
    Tuesday, June 9, 2015 7:14 PM
  • > Is there any harm in manually changing the NTFS permissions to reflect
    > what appears to be the default on the other domains I have checked?
     
    No.
     
    > Do NTFS permissions replicate with the Sysvol folder so all I would have
    > to do is change the permissions on the PDC
     
    Yes.
     
    :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    • Marked as answer by Imnot4D2 Wednesday, June 10, 2015 1:17 PM
    Wednesday, June 10, 2015 10:25 AM