?
Solved

Group Policies on Windows 2008 R2 Domain Controller

Posted on 2013-11-20
8
Medium Priority
?
3,547 Views
Last Modified: 2015-03-18
I was reviewing my policies. I have about a dozen of them. For some reason on 2 policies when I click on it I get a message as follows:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.

For more information, see the Microsoft Knowledge Base article: http://go.microsoft.com/fwlink/?LinkId=20066

I clicked OK several times. Tried closing and reopening GPM but it still gives me that message. When I go to the link it says, the article says this applies to Windows 2000 and Windows 2003 and their solution is to click OK like I did.
0
Comment
Question by:swenger7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 3

Expert Comment

by:RKnebel512
ID: 39663359
On the support. microsoft site, they say to check the authenticated users permissions on the GPO, to make sure they have the "list object" permission.

http://support.microsoft.com/kb/2838154

To get there, when you are in the Group Policy management console, click on the delegation tab, then click the "Advanced..." button at the bottom right.  Then Click the "Advanced" button on the next screen too.  Then select "Authenticated Users" and click edit.  Make sure the box labeled "List Contents" is selected.
0
 

Author Comment

by:swenger7
ID: 39663437
When I went to advanced under the permission column it did show "list contents" for authenticated users but when I went to edit it there was nothing checked. So I checked to allow "list contents" and applied but when I close and open I still get the warning message
0
 
LVL 3

Expert Comment

by:RKnebel512
ID: 39663510
The site also mentions that a core cause of this can be that "The access control list (ACL) on the Sysvol part of the Group Policy Object is set to inherit permissions from the parent folder."  You might check to make sure this isn't the case.

To manually do that, go to c:\windows\SYSVOL\sysvol\[yourdomainname]\Policies on your domain controller.  All of your GPOs are listed here in folders named as your GPO's unique ID.  You can find the unique ID of the GPO you are looking at through the Details tab back on the Group Policy Management Console.

Right-click on the GPO folder you want, then select the "Security" tab, then click the "advanced" button.

At the bottom of the "Advanced Security Settings..." screen will be a checkbox labeled "Include inheritable permissions from this object's parent".  Make sure that is unchecked.  

If you need to uncheck it, you will have to click on "Change Permissions" before it will let you uncheck the box.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:swenger7
ID: 39663539
That box is greyed and UN checked. However, here I noticed that the Authenticated Users has NONE under the permission column. I was going to change it to List Folder / Read Data but wanted to make sure before I do that if this is correct to change.
0
 
LVL 3

Accepted Solution

by:
RKnebel512 earned 450 total points
ID: 39663571
I would go ahead and change it.  It seems to me there is a different problem that is preventing you Group Policy Management console from making those changes.

But yes, on my DC, that is the way it is, authenticated users have the following permissions on GPOs:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions

All are set to Allow.
0
 

Author Comment

by:swenger7
ID: 39663603
Thanks for your guidance in pointing me in the right direction. I found the reason I think. Atleast it fixed it. Under Scope / Security Filtering for these 2 policies, I did not have authenticated users but rather a specific Group. However Authenticated users was in the security with none both in the GP delegation as well as in the GUID Folder security. I removed Authenticated users and I no longer get the error message. I just need to test now to make sure the policies still work for these user groups.
0
 

Author Closing Comment

by:swenger7
ID: 39663651
Not the exact solution but led me to it.
0
 

Expert Comment

by:Ronald Hine
ID: 40674948
I had the same problem, but what I was doing was in "security filtering", I was just putting in the security groups that needed the access to the GPO.

1. When I checked the sysvol permissions for those GPO's Authenticated Users was present, I removed this group and the problem was resolved.
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question