• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4557
  • Last Modified:

Access denied when editing/deleting group policy in server 2012 R2 domain

When attempting to delete or edit a Group Policy using the GPMC snap-in, I'm seeing:

denied
I'm using a privileged user (Administrator, domain wide account), the forest and domain function levels are at 2012 R2 and replication is working as designed:

PS C:\Users\Administrator.WORKFORCE> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = lii-dc01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Livonia\LII-DC01
      Starting test: Connectivity
         ......................... LII-DC01 passed test Connectivity

Doing primary tests

   Testing server: Livonia\LII-DC01
      Starting test: Advertising
         ......................... LII-DC01 passed test Advertising
      Starting test: FrsEvent
         ......................... LII-DC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... LII-DC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... LII-DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... LII-DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LII-DC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LII-DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LII-DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... LII-DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LII-DC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... LII-DC01 passed test Replications
      Starting test: RidManager
         ......................... LII-DC01 passed test RidManager
      Starting test: Services
         ......................... LII-DC01 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 01/07/2015   11:30:26
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         ......................... LII-DC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... LII-DC01 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : workforce
      Starting test: CheckSDRefDom
         ......................... workforce passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... workforce passed test CrossRefValidation

   Running enterprise tests on : workforce.wfs
      Starting test: LocatorCheck
         ......................... workforce.wfs passed test LocatorCheck
      Starting test: Intersite
         ......................... workforce.wfs passed test Intersite


Delegation looks good on the GPO i'm editing as well:

dele
Permissions have not changed on SYSVOL. I've also checked to see if it is read-only, it is.. but only for sub-files. Unchecking it makes no difference:

read

What's the cause of this? It is preventing us from deleting and editing GPO's.
0
meade470
Asked:
meade470
  • 2
  • 2
1 Solution
 
Will SzymkowskiSenior Solution ArchitectCommented:
Have you been able to use remove-gpo from powershell to remove the group policy? Can you create new GPO's and Delete them? Is there a Deny permission somewhere in the hierarchy?

Another thing you might want to check is the Open Files on your PDC holder. Close any of the files that are opened related to your GPO you are trying to delete.

Will.
0
 
meade470Author Commented:
Tried doing it from powershell:

PS C:\Users\Administrator.WORKFORCE> Remove-GPO -Name 'WFS Domain-Wide Policy'
Remove-GPO : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Remove-GPO -Name 'WFS Domain-Wide Policy'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Remove-GPO], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.RemoveGpoCommand

Open in new window


Denied still. I can create new GPO's, but post creation.. can not delete them.

There is a DENY on Everyone for 'delete all child objects':

deny1
but that seems normal?

Closed all files, and the primary domain controller that holds the FSMO roles. Still same results.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Well as you probably already know this is definitly a permissions issue somewhere. Have you tried to go into the Advance section on the screenshot you have provided to ensure your account has proper permission? If you add yourself with full permissions then propagate permissions does this work?

You have permissions to create just not modify or delete.

Do you have any Active Directory auditing software which could help to see if someone changed permissions somewhere?

like AD Audit Plus

Will.
0
 
meade470Author Commented:
Will, you were right.

It was set to this:

2015-01-08-08-06-22-lii-dc02---Remote-De
and the DENY setting for Everyone was taking precedence.

Used the restore defaults:

2015-01-08-08-07-26-lii-dc02---Remote-De
to fix it. Now can delete/edit properly!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now