Cannot create new Group Policy Objects in Windows Server 2003

I have a Windows 2003 server running Active Directory.  I have several Group Policy Objects created.  Recently, I have tried to create a new GPO, but I get a simple message box that pops up and says "Access Denied" when trying to create one.  I am trying to do this through the Group Policy Management Console.  I am also trying this logged into the server locally as "administrator" and as a member of the Domain Admins group.  Anyone have any past experiences of this happening and how to resolve this?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

"I am also trying this logged into the server locally as "administrator" and as a member of the Domain Admins group. "

Can you try logging in on the server as DOMAIN ADMIN?
bkestingAuthor Commented:
I should rephrase my earlier post, I am logged in as the Domain/Admin.  When I said I am logged in locally, I meant that I was physically at the server, not through some remote software.

Sorry for any confusion.
How many DC's do you have...can you try to connect a remote DC to perform the GPO edit...

What SP are you using on your DC's?

The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

NJComputerNetworksCommented:  <--technet article showing similar problem..
another article...similar problem:
I saw your other post on tektips.

Have you tried running the GPMC from a computer other than the 2003 server, like another 2003 server or an xp workstation?

Did you run anything recently on the 2003 server that may have changed the local security policy on it, something like the Security Configuration Wizard or similar?

When you get the access denied message is there anything in the event logs at that point?
bkestingAuthor Commented:
I get the same error when I try to do this from my Windows XP Pro workstation.  I am running SP1 on the 2003 server.  I do have another domain controller for this network, a Windows 2000 server.  I can get on there and it appears I can create GPOs with that.  What I'd like to be able to do though is import some previously made GPO's from another Win 2K3 server and use GPMC for that.  I don't see anything out of the ordinary in any event logs nor have I done anything with local security policy on the machine.

Have you been able to do this before on the 2003 server(s)?
bkestingAuthor Commented:
Yes, I created several other GPO's previously (albeit a while ago) on this same machine.
Can you run the gp modeling wizard or a GPResult on the 2003 server and check and see if anything is strange?  Maybe you accidentally applied something inherited by only the 2003/XP machines.

The 2003 server you are trying this on is a DC?  What's the forest and domain functional levels at?
Check the security settings on the physical folder & Share where the GPO's reside and ensure domain admins has RW rights, ie.  \\<DC SERVERNAME>\NETLOGON

Can you edit exisiting GPO's ?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bkestingAuthor Commented:
If I try to edit an existing GPO, it does open the Group Policy Editor, but if I expand something (like User Config > Administrative Templates) there is nothing listed there to change, it is all blank in the right pane of the editor, and there is nothing expanded underneath the Administrative Templates folder in the left pane.  "Domain Admins" does have rights to the NETLOGON share.

I have been away from the office for a day or so, so I haven't had a chance to try the GPResult yet.

Since I also have a Win2K box serving as a domain controller here, would it do any good/harm to run dcpromo to remvoe Active Directory from the Win2K3 box and then re-install it?
bkestingAuthor Commented:
Any thoughts about removing and reinstalling Active Directory?
reinstalling the AD sounds a bit dramatic.  try this first...
from what cbeee is saying, I would look at:

The PDC Operations Master of Your Windows 2000 Domain Is Down
Resolve the issue that has made the PDC operations master of your Windows 2000 domain unavailable.

Have you run DCDIAG on both the 2k3 box and the 2k box to make sure that AD is functioning properly?
bkestingAuthor Commented:
DCDIAG shows every test passed on both the Win2K box and the Win2K3 box.  When I do run GPRESULT, on the Win2K3 box it says:

The following GPO's were not applied because they were filtered out:
Local Group Policy
      Filtering: Not Applied (Empty)

Default Domain Controllers Policy
      Filtering: Not Applied (Empty)

This does not show up in GPRESULT on the Win2K box.

bkestingAuthor Commented:
I finally figured out my problem.  I went through and found a negating permission set at \\system\sysvol\domainname\scripts

Once I reset that permission, everything appears to be working fine.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.