Solved

Group Policies on Windows 2008 R2 Domain Controller

Posted on 2013-11-20
8
3,450 Views
Last Modified: 2015-03-18
I was reviewing my policies. I have about a dozen of them. For some reason on 2 policies when I click on it I get a message as follows:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK.

For more information, see the Microsoft Knowledge Base article: http://go.microsoft.com/fwlink/?LinkId=20066

I clicked OK several times. Tried closing and reopening GPM but it still gives me that message. When I go to the link it says, the article says this applies to Windows 2000 and Windows 2003 and their solution is to click OK like I did.
0
Comment
Question by:swenger7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 3

Expert Comment

by:RKnebel512
ID: 39663359
On the support. microsoft site, they say to check the authenticated users permissions on the GPO, to make sure they have the "list object" permission.

http://support.microsoft.com/kb/2838154

To get there, when you are in the Group Policy management console, click on the delegation tab, then click the "Advanced..." button at the bottom right.  Then Click the "Advanced" button on the next screen too.  Then select "Authenticated Users" and click edit.  Make sure the box labeled "List Contents" is selected.
0
 

Author Comment

by:swenger7
ID: 39663437
When I went to advanced under the permission column it did show "list contents" for authenticated users but when I went to edit it there was nothing checked. So I checked to allow "list contents" and applied but when I close and open I still get the warning message
0
 
LVL 3

Expert Comment

by:RKnebel512
ID: 39663510
The site also mentions that a core cause of this can be that "The access control list (ACL) on the Sysvol part of the Group Policy Object is set to inherit permissions from the parent folder."  You might check to make sure this isn't the case.

To manually do that, go to c:\windows\SYSVOL\sysvol\[yourdomainname]\Policies on your domain controller.  All of your GPOs are listed here in folders named as your GPO's unique ID.  You can find the unique ID of the GPO you are looking at through the Details tab back on the Group Policy Management Console.

Right-click on the GPO folder you want, then select the "Security" tab, then click the "advanced" button.

At the bottom of the "Advanced Security Settings..." screen will be a checkbox labeled "Include inheritable permissions from this object's parent".  Make sure that is unchecked.  

If you need to uncheck it, you will have to click on "Change Permissions" before it will let you uncheck the box.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:swenger7
ID: 39663539
That box is greyed and UN checked. However, here I noticed that the Authenticated Users has NONE under the permission column. I was going to change it to List Folder / Read Data but wanted to make sure before I do that if this is correct to change.
0
 
LVL 3

Accepted Solution

by:
RKnebel512 earned 150 total points
ID: 39663571
I would go ahead and change it.  It seems to me there is a different problem that is preventing you Group Policy Management console from making those changes.

But yes, on my DC, that is the way it is, authenticated users have the following permissions on GPOs:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes
Read permissions

All are set to Allow.
0
 

Author Comment

by:swenger7
ID: 39663603
Thanks for your guidance in pointing me in the right direction. I found the reason I think. Atleast it fixed it. Under Scope / Security Filtering for these 2 policies, I did not have authenticated users but rather a specific Group. However Authenticated users was in the security with none both in the GP delegation as well as in the GUID Folder security. I removed Authenticated users and I no longer get the error message. I just need to test now to make sure the policies still work for these user groups.
0
 

Author Closing Comment

by:swenger7
ID: 39663651
Not the exact solution but led me to it.
0
 

Expert Comment

by:Ronald Hine
ID: 40674948
I had the same problem, but what I was doing was in "security filtering", I was just putting in the security groups that needed the access to the GPO.

1. When I checked the sysvol permissions for those GPO's Authenticated Users was present, I removed this group and the problem was resolved.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question