Why would Group Policy Management in Windows Server 2008 lock out Domain and Enterprise Admins

Posted on 2014-08-18
Medium Priority
Last Modified: 2014-08-19

When attempting to manage the Default Group policy, all of my domain admin accounts and enterprise admin accounts' privileges went to custom, and locked me out of being able to edit my GPO.  It says I lost permissions, and cannot make changes.

How do I recover?
Question by:Evan Cutler
LVL 14

Assisted Solution

by:Brad Groux
Brad Groux earned 200 total points
ID: 40268964
Are you trying to edit the GPO directly from a Domain Controller using GPMC?

If so, it sounds like you may have some replication issues to clear up.

Verify in domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} the two adm folders probably have a FolderName_NTFRS_<xxxxxxxx> appended on them.

Rename FRS directories.

Reinitialize replication with BurFlags.
LVL 84

Accepted Solution

David Johnson, CD, MVP earned 1800 total points
ID: 40269281
did you perchance move those items into the protected groups OU?

Author Closing Comment

by:Evan Cutler
ID: 40271332
Thank you guys.
David, your solution was it.  The GPMC Default Groups got stuck under a delegate OU that tried to take over the network.

Appreciate the idea Brad...if anything happens again, I'll remember what you said. This time it was not the case.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
New style of hardware planning for Microsoft Exchange server.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question