Solved

Group Policies on Windows 2008 R2 Domain Controller

Posted on 2013-11-20
8
3,264 Views
Last Modified: 2015-03-18
I was reviewing my policies. I have about a dozen of them. For some reason on 2 policies when I click on it I get a message as follows:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.

For more information, see the Microsoft Knowledge Base article: http://go.microsoft.com/fwlink/?LinkId=20066

I clicked OK several times. Tried closing and reopening GPM but it still gives me that message. When I go to the link it says, the article says this applies to Windows 2000 and Windows 2003 and their solution is to click OK like I did.
0
Comment
Question by:swenger7
  • 4
  • 3
8 Comments
 
LVL 3

Expert Comment

by:RKnebel512
ID: 39663359
On the support. microsoft site, they say to check the authenticated users permissions on the GPO, to make sure they have the "list object" permission.

http://support.microsoft.com/kb/2838154

To get there, when you are in the Group Policy management console, click on the delegation tab, then click the "Advanced..." button at the bottom right.  Then Click the "Advanced" button on the next screen too.  Then select "Authenticated Users" and click edit.  Make sure the box labeled "List Contents" is selected.
0
 

Author Comment

by:swenger7
ID: 39663437
When I went to advanced under the permission column it did show "list contents" for authenticated users but when I went to edit it there was nothing checked. So I checked to allow "list contents" and applied but when I close and open I still get the warning message
0
 
LVL 3

Expert Comment

by:RKnebel512
ID: 39663510
The site also mentions that a core cause of this can be that "The access control list (ACL) on the Sysvol part of the Group Policy Object is set to inherit permissions from the parent folder."  You might check to make sure this isn't the case.

To manually do that, go to c:\windows\SYSVOL\sysvol\[yourdomainname]\Policies on your domain controller.  All of your GPOs are listed here in folders named as your GPO's unique ID.  You can find the unique ID of the GPO you are looking at through the Details tab back on the Group Policy Management Console.

Right-click on the GPO folder you want, then select the "Security" tab, then click the "advanced" button.

At the bottom of the "Advanced Security Settings..." screen will be a checkbox labeled "Include inheritable permissions from this object's parent".  Make sure that is unchecked.  

If you need to uncheck it, you will have to click on "Change Permissions" before it will let you uncheck the box.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:swenger7
ID: 39663539
That box is greyed and UN checked. However, here I noticed that the Authenticated Users has NONE under the permission column. I was going to change it to List Folder / Read Data but wanted to make sure before I do that if this is correct to change.
0
 
LVL 3

Accepted Solution

by:
RKnebel512 earned 150 total points
ID: 39663571
I would go ahead and change it.  It seems to me there is a different problem that is preventing you Group Policy Management console from making those changes.

But yes, on my DC, that is the way it is, authenticated users have the following permissions on GPOs:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions

All are set to Allow.
0
 

Author Comment

by:swenger7
ID: 39663603
Thanks for your guidance in pointing me in the right direction. I found the reason I think. Atleast it fixed it. Under Scope / Security Filtering for these 2 policies, I did not have authenticated users but rather a specific Group. However Authenticated users was in the security with none both in the GP delegation as well as in the GUID Folder security. I removed Authenticated users and I no longer get the error message. I just need to test now to make sure the policies still work for these user groups.
0
 

Author Closing Comment

by:swenger7
ID: 39663651
Not the exact solution but led me to it.
0
 

Expert Comment

by:Ronald Hine
ID: 40674948
I had the same problem, but what I was doing was in "security filtering", I was just putting in the security groups that needed the access to the GPO.

1. When I checked the sysvol permissions for those GPO's Authenticated Users was present, I removed this group and the problem was resolved.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question