Administrator can't make changes to Group Policy Object

Posted on 2005-05-12
Medium Priority
Last Modified: 2008-02-07
all of the sudden?  (haven't had the need to try in the past couple weeks) when i log on as administrator, i cannot make changes to Group Policy Objects

I am logged in as Administrator, the Administrator is a member of Domain Admins and a member of Enterprise Admins.

When i check the security settings of the GPOs, they seem fine - Domain Admins and Enterprise Admins have Read/Write access on the GPOs

When i try to make changes to a GPO in the Domain Controller OU it tells me access denied.

Here's where it gets really strange:
I have an OU called 'MyCompany Computers' and when i try to change the GPO in there it sometimes works and sometimes i get the access denied error.  I can literally open the OU and then the GPO, make a change and apply it and close the OU properties window, go back into it and try to make another change and get the access denied message.  Then i close it, open it and sometimes i can change it again, sometimes not.

This is very troubling.

THis is a production machine so i really want to avoid resetting all the security settings back to the default.

Is there something i am missing or another solution out there?
Question by:saunaG

Author Comment

ID: 13986202
forgot to add - found a file at c:\windows\debug\usermode\gpedit.log and it contains things like:

GPEDIT(71c.898) 10:33:19:906 CGroupPolicyObject::OpenDSGPO: Failed to set server2.domain.TUDHOPE.ca as the active sysvol with 2662
GPEDIT(c6c.78c) 14:03:03:218 CRSOPComponentData::GetPrimaryGroup: SID is not valid.
GPEDIT(df8.47c) 16:27:04:578 CGroupPolicyObject::WriteSecurityDescriptor: Failed to set the security for the file system portion <\\tudhope.ca\SysVol\tudhope.ca\Policies\{E38EF005-7C43-4C91-AA48-C294DA8E7D1D}> with 5


Expert Comment

ID: 13986237
Run dcdiag and netdiag on the DC's to see if you have any problems in AD
LVL 14

Expert Comment

ID: 13986918
try to delegate control to your account
and check the Effective Permissions of your account - click properties of your OU (if you cannot see the security tab go to view/advanced features and in the security tab click advanced button and see the effective permissions tab of the chosen account
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 13987012
here is a possible clue:
when i right click start and go to explore, instead of starting in c:\documents+settings  for some reason i am instead taken to \\server\ts_startmenu  which is a folder i created and shared and use for folder redirection for remote desktop users (admin is not a member and admin does not see this start menu but thats where it goes when you open windows explorer in this way).

also i wasnt able to install the toolkit just now to try to run dcdiag - just starts to install and then says it was unable to.


Accepted Solution

joedoe58 earned 1500 total points
ID: 13987052
This shows that you have a gpo applied to you that restrict what you can do on the network. Try to run rsop.msc from a command prompt and see what policies are applied to your user.

Author Comment

ID: 13987644
i ran rsop.msc and the only thing there is that my start folder is redirected.  This is from the GPO called 'RemoteDesktopUsersPolicy'
It is or was applied to the Everyone group - but when i look in this GPO there is no folder redirection.  There was in the past but it was removed.  However in rsop.msc when i click properties on this itme and the check the 'Policy Removal section' it does show that when this policy setting is removed to keep the folder redirection for the users rather than reset to the users local profile.

I now understand why explorer opens to a share but there is nothing else in rsop.msc that indicates there are other policies being applied to the admin.  The admin is not a member of the remote desktop users group that this policy is being applied to.

LVL 10

Expert Comment

by:Seelan Naidoo
ID: 13988521
sounds like your TS profile is being referenced..

remove your machine from the domain, and re-add it. Could be that Keberos tickets have expired.

Author Comment

ID: 13988744
ok, now it seems to be working - i was able to make changes to the Domain Controller OU GPOs
..but i didn't do anything that would make this happen..

As it is now working, i was able to remove folder redireciton from the admin.

i have logged on and off a few times since then and everything SEEMS fine.

now when i run rsop.msc the reference there to folder redirection is gone

and i am now able to install the system tools to run dcdiag and netdiag

i cant really pinpoint what fixed the problem but i think joedoe58's comment about running rsop.msc was most helpful.

hopefully this behaviour is gone for good.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Loops Section Overview

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question