Server 2003 Group policy object access denied

Posted on 2009-02-12
Last Modified: 2013-12-04
Hi All,
I have created a OU group and assinged a login so i can control group policy. I have created a Child OU in group policy and linked it to the AD group and set-up the policy. How the policy does not work.
I can see from the Policy results the User GPO is denied, Reason access Denied.
Question by:smartsyatton
    LVL 1

    Author Comment

    Sorry forgot to include Image of all setups to help. Thanks
    LVL 4

    Assisted Solution

    Remember that Local  GPO is overpowered by Site GPO, which is overpower by Domain GPO, which is overwritten by OU GPO.

    Check and ensure you do not have another policy set such as a one time domain template.

    heres microsoft's GPO troubleshooting article, one of those things that are hard to fix without seeing though.

    make sure there is not a parent OU that is governing that child

    but try this, to see if it is enabled in the GPO status

    Use GPMC "group policy managmant console" (free from microsoft).
    Navigate to Domains, then to your domain name, then to Group policy objects right click, Create a NEW GPO call it what ever you like. (or use existing one)
    right click it to edit the GPO with the user configuration that you want, the close the editor. Then click your GPO in the tree on the left of the screen. on the right at the top you will see the scope tab make sure it is selected. You will see security filtering on the bottom half of the screen, remove authenticated users or the policy will apply to everyone. then add the OU you created earler in its place You can check if it is enable by right clicking the GPO and going to GPO status ! it should be enabled by default.

    LVL 11

    Expert Comment

    In the image you attached, the GPO is set to apply only to the System group, which won't include your users.  By default, GPOs are permissioned to apply to Authenticated Users.  I'm not sure why your GPO has System listed, but I would add an entry for Authenticated Users and remove the System entry.  Definitely test this first.

    Another possible source of your problem is a deny entry being set in the GPOs ACL, which won't show up in the Security Filtering section of the GPMC.  To see if any deny entries are set in the GPOs ACL, go to the Delegation tab, then the Advanced button (bottom right),  As a best practice, it's to your advantage to set as few deny entries in GPO ACLs as possible due to the diffiicult nature of seeing them.
    LVL 1

    Author Comment

    Okay thanks, Getting there, I now have the GPO being applied but it is allways  replaced by the Default domain GPO.?!
    Sure i am missing somthing.

    LVL 11

    Accepted Solution

    Per your first image, the Default Domain Policy GPO is being enforced which gives it precedence over the Training GPO applied at the OU level.  Removing the enforcement of the Default Domain Policy GPO will give the Training GPO precedence.

    If the Default Domain Policy GPO was enforced so that OU administrators could not supersede domain policy, though, this may not be the route you want to take.  You'll need to weigh the costs and benefits to fixing your immediate issue.
    LVL 1

    Author Closing Comment

    Very helpfull thanks

    Featured Post

    Scale it in WD Gold

    With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

    Join & Write a Comment

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now