Solved

Group Policies on Windows 2008 R2 Domain Controller

Posted on 2013-11-20
8
3,222 Views
Last Modified: 2015-03-18
I was reviewing my policies. I have about a dozen of them. For some reason on 2 policies when I click on it I get a message as follows:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.

For more information, see the Microsoft Knowledge Base article: http://go.microsoft.com/fwlink/?LinkId=20066

I clicked OK several times. Tried closing and reopening GPM but it still gives me that message. When I go to the link it says, the article says this applies to Windows 2000 and Windows 2003 and their solution is to click OK like I did.
0
Comment
Question by:swenger7
  • 4
  • 3
8 Comments
 
LVL 3

Expert Comment

by:RKnebel512
ID: 39663359
On the support. microsoft site, they say to check the authenticated users permissions on the GPO, to make sure they have the "list object" permission.

http://support.microsoft.com/kb/2838154

To get there, when you are in the Group Policy management console, click on the delegation tab, then click the "Advanced..." button at the bottom right.  Then Click the "Advanced" button on the next screen too.  Then select "Authenticated Users" and click edit.  Make sure the box labeled "List Contents" is selected.
0
 

Author Comment

by:swenger7
ID: 39663437
When I went to advanced under the permission column it did show "list contents" for authenticated users but when I went to edit it there was nothing checked. So I checked to allow "list contents" and applied but when I close and open I still get the warning message
0
 
LVL 3

Expert Comment

by:RKnebel512
ID: 39663510
The site also mentions that a core cause of this can be that "The access control list (ACL) on the Sysvol part of the Group Policy Object is set to inherit permissions from the parent folder."  You might check to make sure this isn't the case.

To manually do that, go to c:\windows\SYSVOL\sysvol\[yourdomainname]\Policies on your domain controller.  All of your GPOs are listed here in folders named as your GPO's unique ID.  You can find the unique ID of the GPO you are looking at through the Details tab back on the Group Policy Management Console.

Right-click on the GPO folder you want, then select the "Security" tab, then click the "advanced" button.

At the bottom of the "Advanced Security Settings..." screen will be a checkbox labeled "Include inheritable permissions from this object's parent".  Make sure that is unchecked.  

If you need to uncheck it, you will have to click on "Change Permissions" before it will let you uncheck the box.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:swenger7
ID: 39663539
That box is greyed and UN checked. However, here I noticed that the Authenticated Users has NONE under the permission column. I was going to change it to List Folder / Read Data but wanted to make sure before I do that if this is correct to change.
0
 
LVL 3

Accepted Solution

by:
RKnebel512 earned 150 total points
ID: 39663571
I would go ahead and change it.  It seems to me there is a different problem that is preventing you Group Policy Management console from making those changes.

But yes, on my DC, that is the way it is, authenticated users have the following permissions on GPOs:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions

All are set to Allow.
0
 

Author Comment

by:swenger7
ID: 39663603
Thanks for your guidance in pointing me in the right direction. I found the reason I think. Atleast it fixed it. Under Scope / Security Filtering for these 2 policies, I did not have authenticated users but rather a specific Group. However Authenticated users was in the security with none both in the GP delegation as well as in the GUID Folder security. I removed Authenticated users and I no longer get the error message. I just need to test now to make sure the policies still work for these user groups.
0
 

Author Closing Comment

by:swenger7
ID: 39663651
Not the exact solution but led me to it.
0
 

Expert Comment

by:Ronald Hine
ID: 40674948
I had the same problem, but what I was doing was in "security filtering", I was just putting in the security groups that needed the access to the GPO.

1. When I checked the sysvol permissions for those GPO's Authenticated Users was present, I removed this group and the problem was resolved.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question