locked
Group Policy Creator Owners cannot create new GPO RRS feed

  • Question

  • According to Microsoft documentation members of group "Group Policy Creator Owners" are allowed to create new GPOs without being Domain Admins.

    However, when one of these members tries to create a new GPO, they get "Access is denied" error. It's actually an information box.

    error

    Security on the Group Policy Objects container seems correct to me.

    security

    These members can create WMI Filters, what's stopping them from creating GPOs?

    vendredi 18 août 2017 14:24

Réponses

  • Check the ACL on C:\windows\sysvol\domain\policies or you have different folder for Sysvol. By default Group Policy Creator/Owners group should have Read, write & Execute permissions to this folder, subfolders and files.
    • Marqué comme réponse Ander E mardi 22 août 2017 07:48
    vendredi 18 août 2017 15:52

Toutes les réponses

  • Check the ACL on C:\windows\sysvol\domain\policies or you have different folder for Sysvol. By default Group Policy Creator/Owners group should have Read, write & Execute permissions to this folder, subfolders and files.
    • Marqué comme réponse Ander E mardi 22 août 2017 07:48
    vendredi 18 août 2017 15:52
  • Thanks for your reply.

    This is the ACL for policies:

    ACL

    This is the same ACL on all our DCs.

    Our environment is composed of several 2012 R2 DCs and Domain Functional Level 2012 R2, and as you can see DFSR is enabled.

    I don't understand how we could have lost permissions for that group, can someone with the same configuration post their ACL?


    • Modifié Ander E lundi 21 août 2017 08:22 typo
    lundi 21 août 2017 08:21
  • All are fine except below ones.

    Group Policy Creator Owner = Read,Write and Execute (this folder and subfoldrs)

    Domain Admins =read, Write and Execute (this folder and subfolders)

    Add these two groups on all servers and you should be fine.

    lundi 21 août 2017 10:34
  • I added the 2 permissions on one of the DCs hoping that these permissions would be replicated to all DCs by DFRS but this is not the case.

    Am I supposed to make these changes on all DCs or something is broken?

    lundi 21 août 2017 12:21
  • if your AD is using DFSR, it should replicate the permission change as well. Have you waited for the replication interval?
    lundi 21 août 2017 12:51
  • Strange, if i create a new file at the Policies folder level, the file is replicated to all DCs. If I change this file's permissions, permissions are replicated to all DCs. However the "Policies" folder permissions are not replicated.

    All GPOs are replicated, there are no replication errors.

    lundi 21 août 2017 14:31
  • What is permission on one folder up? do you correct permission there? If so, can you inherit permission from one folder up? 
    lundi 21 août 2017 15:12
  • Hi, 
    Please check whether the Group Policy Creator Owner group has been granted the proper permissions on C:\Windows\SYSVOL\sysvol\domain\Policies folder:
    - Traverse folder / execute file
    - List Folder / read data
    - Read attributes
    - Read extended attributes
    - Create files / write data
    - Create folders / append data
    - Write attributes
    - Write extended attributes
    - Read permissions
    And check the share permission on C:\Windows\SYSVOL\sysvol\ to make sure that Administrators(FULL CONTROL permission) and Everyone(Read permission) are listed.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    mardi 22 août 2017 06:15
  • Wendy, permissions are correct, actually, share permissions also includes Full Control for Authenticated Users.

    Manoj, parent permissions are inherited as you can see in the screenshot above. Anyway, after creating the permissions you suggested, even though they haven't been propagated to all DCs, I can create new GPOs with a member of "Group Policies Creator Owners".

    Strange, that these new permissions were not propagated to all DCs, I will troubleshoot that and raise a new issue if I need to. Thanks.

    mardi 22 août 2017 07:47
  • We have same issue even with a Domain admin user account.

    If you have any McAfee Antivirus on DC , temporary disable it.

    mardi 28 juillet 2020 16:16