none
Cannot update admx files in policydefiniton folder

    Question

  • Hello,

    I know there are many discussions about this subject, but non of the solutions work for me right now.

    I'm  trying to update our central policy store in \\domainname\SYSVOL\SSC.LOCAL\Policies\PolicyDefinitions

    I downloaded the new admx files etc. and want to copy and paste it to the central store.

    Done this earlier a few months ago without problems, but now I need the Server 2016 and latest Windows 10 admx files.

    I get an error message access denied.

    There are solutions of taking ownership and asign the proper permissions. It looks like the old permissons get back in a short time.

    When I run a script which takes ownership and sets the permissions, it looks like it is set to default in a second.

    We have Windows Server 2012R2 domain controllers.

    Does anyone know how to do the trick?


    JFTE


    • Edited by JFTE Saturday, December 03, 2016 11:51 PM Addition
    Saturday, December 03, 2016 11:47 PM

Answers

  • Found the solution. I already rebooten the other domain controller of the two we have.

    Now I rebooted the other domain controller I was logged on to because it is now possible because it is in the weekend.

    In the eventviewer is see the following entrance in the past hours:

    The DFS Replication service is stopping communication with partner DTC-IPF-DOM001 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

    After the reboot the message is gone and acl's work fine now..........

    Thanks for thinking with me.


    JFTE

    • Marked as answer by JFTE Sunday, December 04, 2016 11:25 AM
    Sunday, December 04, 2016 11:25 AM

All replies

  • I get an error message access denied.

    There are solutions of taking ownership and asign the proper permissions. It looks like the old permissons get back in a short time.

    When I run a script which takes ownership and sets the permissions, it looks like it is set to default in a second.

    The solutions relating to taking ownership and setting permissions, revolve around the c:\Windows\PolicyDefinitions\ folder/subfolders/files having ownership by TrustedInstaller.

    These issues don't affect the CS, because the CS is simply a folder (which is not a builtin folder protected by TI) within your SYSVOL.

    So, I think you're having some other problem, not really related to that TI issue?

    Check the (effective/resultant) permissions as well as the ACL for \\domainname\SYSVOL\SSC.LOCAL\Policies\PolicyDefinitions

    If you are granting permissions (adding an ACE into the ACL), and that is being reverted, there's something else going on, perhaps you have some script of agent doing that, it's certainly not a builtin feature to reset/protect the ACL on any share nor specifically for SYSVOL nor a CS.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, December 04, 2016 2:16 AM
  • Hello,

    Thank you for your reply.

    When I try to change the permissions, I get an error:"An error occurred when applyng security information to: ........  Failed to enumerate objects in the container. Access denied." and then: "Unable to save permission changes on policydefinitions, Access denied."

    This is when I try to stop inheritance or change permissions or take ownership. I'm the owner of the policydefinitions folder because I created it.

    I already made my admin account member of schema admins, Enterprise admins and Group Policy Creator Owners and was already member of administrators.

    My effective rights are everything, even full control according the "Effective rights" tab.


    JFTE


    • Edited by JFTE Sunday, December 04, 2016 11:03 AM add effective rights
    Sunday, December 04, 2016 11:00 AM
  • Found the solution. I already rebooten the other domain controller of the two we have.

    Now I rebooted the other domain controller I was logged on to because it is now possible because it is in the weekend.

    In the eventviewer is see the following entrance in the past hours:

    The DFS Replication service is stopping communication with partner DTC-IPF-DOM001 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

    After the reboot the message is gone and acl's work fine now..........

    Thanks for thinking with me.


    JFTE

    • Marked as answer by JFTE Sunday, December 04, 2016 11:25 AM
    Sunday, December 04, 2016 11:25 AM
  • Hi,
    Appreciate you for update and share, and it will be greatly helpful to others who have the same question.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 05, 2016 7:55 AM
    Moderator
  • I did not have the error messages but a reboot allowed me to add files without any permissions changes.
    Thursday, June 08, 2017 2:33 PM