Administrator can't make changes to Group Policy Object

Posted on 2005-05-12
Last Modified: 2008-02-07
all of the sudden?  (haven't had the need to try in the past couple weeks) when i log on as administrator, i cannot make changes to Group Policy Objects

I am logged in as Administrator, the Administrator is a member of Domain Admins and a member of Enterprise Admins.

When i check the security settings of the GPOs, they seem fine - Domain Admins and Enterprise Admins have Read/Write access on the GPOs

When i try to make changes to a GPO in the Domain Controller OU it tells me access denied.

Here's where it gets really strange:
I have an OU called 'MyCompany Computers' and when i try to change the GPO in there it sometimes works and sometimes i get the access denied error.  I can literally open the OU and then the GPO, make a change and apply it and close the OU properties window, go back into it and try to make another change and get the access denied message.  Then i close it, open it and sometimes i can change it again, sometimes not.

This is very troubling.

THis is a production machine so i really want to avoid resetting all the security settings back to the default.

Is there something i am missing or another solution out there?
Question by:saunaG

    Author Comment

    forgot to add - found a file at c:\windows\debug\usermode\gpedit.log and it contains things like:

    GPEDIT(71c.898) 10:33:19:906 CGroupPolicyObject::OpenDSGPO: Failed to set as the active sysvol with 2662
    GPEDIT(c6c.78c) 14:03:03:218 CRSOPComponentData::GetPrimaryGroup: SID is not valid.
    GPEDIT(df8.47c) 16:27:04:578 CGroupPolicyObject::WriteSecurityDescriptor: Failed to set the security for the file system portion <\\\SysVol\\Policies\{E38EF005-7C43-4C91-AA48-C294DA8E7D1D}> with 5

    LVL 9

    Expert Comment

    Run dcdiag and netdiag on the DC's to see if you have any problems in AD
    LVL 14

    Expert Comment

    try to delegate control to your account
    and check the Effective Permissions of your account - click properties of your OU (if you cannot see the security tab go to view/advanced features and in the security tab click advanced button and see the effective permissions tab of the chosen account

    Author Comment

    here is a possible clue:
    when i right click start and go to explore, instead of starting in c:\documents+settings  for some reason i am instead taken to \\server\ts_startmenu  which is a folder i created and shared and use for folder redirection for remote desktop users (admin is not a member and admin does not see this start menu but thats where it goes when you open windows explorer in this way).

    also i wasnt able to install the toolkit just now to try to run dcdiag - just starts to install and then says it was unable to.

    LVL 9

    Accepted Solution

    This shows that you have a gpo applied to you that restrict what you can do on the network. Try to run rsop.msc from a command prompt and see what policies are applied to your user.

    Author Comment

    i ran rsop.msc and the only thing there is that my start folder is redirected.  This is from the GPO called 'RemoteDesktopUsersPolicy'
    It is or was applied to the Everyone group - but when i look in this GPO there is no folder redirection.  There was in the past but it was removed.  However in rsop.msc when i click properties on this itme and the check the 'Policy Removal section' it does show that when this policy setting is removed to keep the folder redirection for the users rather than reset to the users local profile.

    I now understand why explorer opens to a share but there is nothing else in rsop.msc that indicates there are other policies being applied to the admin.  The admin is not a member of the remote desktop users group that this policy is being applied to.

    LVL 10

    Expert Comment

    sounds like your TS profile is being referenced..

    remove your machine from the domain, and re-add it. Could be that Keberos tickets have expired.

    Author Comment

    ok, now it seems to be working - i was able to make changes to the Domain Controller OU GPOs
    ..but i didn't do anything that would make this happen..

    As it is now working, i was able to remove folder redireciton from the admin.

    i have logged on and off a few times since then and everything SEEMS fine.

    now when i run rsop.msc the reference there to folder redirection is gone

    and i am now able to install the system tools to run dcdiag and netdiag

    i cant really pinpoint what fixed the problem but i think joedoe58's comment about running rsop.msc was most helpful.

    hopefully this behaviour is gone for good.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now