Group Policies on Windows 2008 R2 Domain Controller

I was reviewing my policies. I have about a dozen of them. For some reason on 2 policies when I click on it I get a message as follows:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.

For more information, see the Microsoft Knowledge Base article: http://go.microsoft.com/fwlink/?LinkId=20066

I clicked OK several times. Tried closing and reopening GPM but it still gives me that message. When I go to the link it says, the article says this applies to Windows 2000 and Windows 2003 and their solution is to click OK like I did.
swenger7Asked:
Who is Participating?
 
RKnebel512Connect With a Mentor Commented:
I would go ahead and change it.  It seems to me there is a different problem that is preventing you Group Policy Management console from making those changes.

But yes, on my DC, that is the way it is, authenticated users have the following permissions on GPOs:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions

All are set to Allow.
0
 
RKnebel512Commented:
On the support. microsoft site, they say to check the authenticated users permissions on the GPO, to make sure they have the "list object" permission.

http://support.microsoft.com/kb/2838154

To get there, when you are in the Group Policy management console, click on the delegation tab, then click the "Advanced..." button at the bottom right.  Then Click the "Advanced" button on the next screen too.  Then select "Authenticated Users" and click edit.  Make sure the box labeled "List Contents" is selected.
0
 
swenger7Author Commented:
When I went to advanced under the permission column it did show "list contents" for authenticated users but when I went to edit it there was nothing checked. So I checked to allow "list contents" and applied but when I close and open I still get the warning message
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
RKnebel512Commented:
The site also mentions that a core cause of this can be that "The access control list (ACL) on the Sysvol part of the Group Policy Object is set to inherit permissions from the parent folder."  You might check to make sure this isn't the case.

To manually do that, go to c:\windows\SYSVOL\sysvol\[yourdomainname]\Policies on your domain controller.  All of your GPOs are listed here in folders named as your GPO's unique ID.  You can find the unique ID of the GPO you are looking at through the Details tab back on the Group Policy Management Console.

Right-click on the GPO folder you want, then select the "Security" tab, then click the "advanced" button.

At the bottom of the "Advanced Security Settings..." screen will be a checkbox labeled "Include inheritable permissions from this object's parent".  Make sure that is unchecked.  

If you need to uncheck it, you will have to click on "Change Permissions" before it will let you uncheck the box.
0
 
swenger7Author Commented:
That box is greyed and UN checked. However, here I noticed that the Authenticated Users has NONE under the permission column. I was going to change it to List Folder / Read Data but wanted to make sure before I do that if this is correct to change.
0
 
swenger7Author Commented:
Thanks for your guidance in pointing me in the right direction. I found the reason I think. Atleast it fixed it. Under Scope / Security Filtering for these 2 policies, I did not have authenticated users but rather a specific Group. However Authenticated users was in the security with none both in the GP delegation as well as in the GUID Folder security. I removed Authenticated users and I no longer get the error message. I just need to test now to make sure the policies still work for these user groups.
0
 
swenger7Author Commented:
Not the exact solution but led me to it.
0
 
Ronald HineNetwork & Fleet AdministratorCommented:
I had the same problem, but what I was doing was in "security filtering", I was just putting in the security groups that needed the access to the GPO.

1. When I checked the sysvol permissions for those GPO's Authenticated Users was present, I removed this group and the problem was resolved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.