[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1137
  • Last Modified:

Cannot create new Group Policy Objects in Windows Server 2003

I have a Windows 2003 server running Active Directory.  I have several Group Policy Objects created.  Recently, I have tried to create a new GPO, but I get a simple message box that pops up and says "Access Denied" when trying to create one.  I am trying to do this through the Group Policy Management Console.  I am also trying this logged into the server locally as "administrator" and as a member of the Domain Admins group.  Anyone have any past experiences of this happening and how to resolve this?

Thanks.
0
bkesting
Asked:
bkesting
  • 7
  • 4
  • 4
  • +1
1 Solution
 
NJComputerNetworksCommented:
"I am also trying this logged into the server locally as "administrator" and as a member of the Domain Admins group. "

Can you try logging in on the server as DOMAIN ADMIN?
0
 
bkestingAuthor Commented:
I should rephrase my earlier post, I am logged in as the Domain/Admin.  When I said I am logged in locally, I meant that I was physically at the server, not through some remote software.

Sorry for any confusion.
0
 
NJComputerNetworksCommented:
How many DC's do you have...can you try to connect a remote DC to perform the GPO edit...

What SP are you using on your DC's?

0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
NJComputerNetworksCommented:
http://support.microsoft.com/?id=294257  <--technet article showing similar problem..
0
 
NJComputerNetworksCommented:
another article...similar problem:  http://www.jsifaq.com/SUBH/tip3800/rh3823.htm
0
 
TheCleanerCommented:
I saw your other post on tektips.

Have you tried running the GPMC from a computer other than the 2003 server, like another 2003 server or an xp workstation?

Did you run anything recently on the 2003 server that may have changed the local security policy on it, something like the Security Configuration Wizard or similar?

When you get the access denied message is there anything in the event logs at that point?
0
 
bkestingAuthor Commented:
I get the same error when I try to do this from my Windows XP Pro workstation.  I am running SP1 on the 2003 server.  I do have another domain controller for this network, a Windows 2000 server.  I can get on there and it appears I can create GPOs with that.  What I'd like to be able to do though is import some previously made GPO's from another Win 2K3 server and use GPMC for that.  I don't see anything out of the ordinary in any event logs nor have I done anything with local security policy on the machine.

0
 
TheCleanerCommented:
Have you been able to do this before on the 2003 server(s)?
0
 
bkestingAuthor Commented:
Yes, I created several other GPO's previously (albeit a while ago) on this same machine.
0
 
TheCleanerCommented:
Can you run the gp modeling wizard or a GPResult on the 2003 server and check and see if anything is strange?  Maybe you accidentally applied something inherited by only the 2003/XP machines.

The 2003 server you are trying this on is a DC?  What's the forest and domain functional levels at?
0
 
cbeeeCommented:
Check the security settings on the physical folder & Share where the GPO's reside and ensure domain admins has RW rights, ie.  \\<DC SERVERNAME>\NETLOGON

Can you edit exisiting GPO's ?
0
 
bkestingAuthor Commented:
If I try to edit an existing GPO, it does open the Group Policy Editor, but if I expand something (like User Config > Administrative Templates) there is nothing listed there to change, it is all blank in the right pane of the editor, and there is nothing expanded underneath the Administrative Templates folder in the left pane.  "Domain Admins" does have rights to the NETLOGON share.

I have been away from the office for a day or so, so I haven't had a chance to try the GPResult yet.

Since I also have a Win2K box serving as a domain controller here, would it do any good/harm to run dcpromo to remvoe Active Directory from the Win2K3 box and then re-install it?
0
 
bkestingAuthor Commented:
Any thoughts about removing and reinstalling Active Directory?
0
 
cbeeeCommented:
reinstalling the AD sounds a bit dramatic.  try this first...

http://support.microsoft.com/?id=294257
0
 
TheCleanerCommented:
from what cbeee is saying, I would look at:

The PDC Operations Master of Your Windows 2000 Domain Is Down
Resolve the issue that has made the PDC operations master of your Windows 2000 domain unavailable.

Have you run DCDIAG on both the 2k3 box and the 2k box to make sure that AD is functioning properly?
0
 
bkestingAuthor Commented:
DCDIAG shows every test passed on both the Win2K box and the Win2K3 box.  When I do run GPRESULT, on the Win2K3 box it says:

The following GPO's were not applied because they were filtered out:
-------------------------------------------------------------------------------
Local Group Policy
      Filtering: Not Applied (Empty)

Default Domain Controllers Policy
      Filtering: Not Applied (Empty)


This does not show up in GPRESULT on the Win2K box.


0
 
bkestingAuthor Commented:
I finally figured out my problem.  I went through and found a negating permission set at \\system\sysvol\domainname\scripts

Once I reset that permission, everything appears to be working fine.

0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

  • 7
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now