Solved

The Enterprise Domain Controllers group does not have read access to this GPO

Posted on 2007-04-02
2
2,695 Views
Last Modified: 2013-12-05
I need a little help.  I am using the Group Policy Management snap in and when I try access a group policy I get a group policy management pop up:  

"The Enterprise Domain Controllers group does not have read access to this GPO.  The Enterprise Domain Controllers group must have read access on all GPO's in the domain in order for Modeling to function properly."

I don't understand what it is trying to communicate for sure.  I want to change the password policy and the lockout policy.  Will this prevent the change from being replicated proplerly.

Rick
0
Comment
Question by:rarnold_6951
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18836821
Group Policy Modeling is a new feature of Windows Server 2003 that simulates
the resultant set of policy for a given configuration. The simulation is
performed by a service that runs on Windows Server 2003 domain controllers.
In order to perform the simulation in cross-domain scenarios, the service
must have read access to all GPOs in the forest.


In a Windows Server 2003 domain (whether it is upgraded from Windows 2000 or
installed as new), the Enterprise Domain Controllers group is automatically
given read access to all newly created GPOs. This ensures that the service
can read all GPOs in the forest.


However, if the domain was upgraded from Windows 2000, any existing GPOs
that were created before the upgrade do not have read access for the
Enterprise Domain Controllers group. When you click a GPO, GPMC detects this
situation and notifies the user that Enterprise Domain Controllers do not
have read access to all GPOs in this domain. To solve this problem, you can
use one of the sample scripts provided with GPMC,
GrantPermissionOnAllGPOs.wsf. This script can update the permissions for all
GPOs in the domain. To use this script:


1. Ensure that the person running this script is either a Domain Admin or
has permissions to modify security on all GPOs in the domain.


2. Open a command prompt and navigate to the %programfiles%\gpmc\scripts
folder by typing: CD /D %programfiles%\gpmc\scripts


3. Type the following: Cscript GrantPermissionOnAllGPOs.wsf "Enterprise
Domain Controllers" /Permission:Read /Domain:value
The value of domain parameter is the DNS name of the domain.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:rarnold_6951
ID: 18847079
We are running a Windows 2000 domain, and from what you describe that is the problem.  We are getting ready to upgrade the Domain Controllers to Windows 2003 in the next few weeks.

Rick
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Prevent to get Active Directory Policy on My PC 9 76
Citrix ServerAd/Exchange 5 36
Hyper v replication 9 41
temp profile 5 23
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question