none
Somehow denied everyone from a group policy via delegation tab

    Question

  • Hello

    We are using AD 2003 native and will be going to 2012 soon.

    Today I was changing the permissions on a group policy and I just wanted to go to the delgations tab in the GPO manager for this plicy and deny the user so he didn't get the group policy.

    When I hit reply it looks like I did everyone.  When I went back to GPO manager it said access denied on the policy and the name.  When I hit refresh it doesn't even show up now.

    How can I relocate it and fix the permissions?

    Thanks

    Wednesday, January 07, 2015 1:09 PM

All replies

  • Dear TB303,

    Would you please show me the screenshot of your problem and send me the GPResult information? Then we can look into this problem and troubleshoot further.

    You can verify below link and it will guild you using gpresult command line to collect resultant group policy settings.

    http://technet.microsoft.com/en-us/library/cc733160.aspx

    Looking forward to your reply.

    Best Regards,

    Ealian

    Friday, January 09, 2015 2:13 AM
  • Hi,

    >>When I hit reply it looks like I did everyone.  When I went back to GPO manager it said access denied on the policy and the name.  When I hit refresh it doesn't even show up now.

    >>How can I relocate it and fix the permissions?

    How is it going? You should be able to see the GPO under Group Policy Objects node in GPMC. However, for Everyone was denied to access the GPO, you won't be able to do any change to the GPO.

    To fix the permissions:

    1. Go to Details tab which is in the right pane of the GPO after clicking it, and find the Unique ID of the GPO

    2. Run Ldp.exe on the domain controller, you can follow the step 1-6 in this article to view the domain partition.

    3. Expand the directory tree, go to CN=System…, go to CN=Policies…, and then find the Unique ID of the GPO which is the same one as in the step 1

    4. Right click the Unique ID, go to Advances, and then go to Security Descriptor and click OK

    5. Under DACL section in the prompted dialog-box, choose Everyone entry, and double click it

    6. Choose Allow for ACE type in the prompted dialog-box, click OK, and then click Update

    7. Now, you can go back to GPMC to edit the access permissions of the GPO

    Best regards,

    Frank Shen

     




    Thursday, January 15, 2015 2:24 AM
    Moderator
  • Hello Frank,

    What is strange I can't even see he GPO in the left hand pane afterwards, as if it was deleted. What a great reply though from you, top notch.

    Thursday, January 15, 2015 8:24 AM