Solved

Access denied when editing/deleting group policy in server 2012 R2 domain

Posted on 2015-01-07
4
1,675 Views
Last Modified: 2015-01-08
When attempting to delete or edit a Group Policy using the GPMC snap-in, I'm seeing:

denied
I'm using a privileged user (Administrator, domain wide account), the forest and domain function levels are at 2012 R2 and replication is working as designed:

PS C:\Users\Administrator.WORKFORCE> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = lii-dc01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Livonia\LII-DC01
      Starting test: Connectivity
         ......................... LII-DC01 passed test Connectivity

Doing primary tests

   Testing server: Livonia\LII-DC01
      Starting test: Advertising
         ......................... LII-DC01 passed test Advertising
      Starting test: FrsEvent
         ......................... LII-DC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... LII-DC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... LII-DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... LII-DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LII-DC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LII-DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LII-DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... LII-DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LII-DC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... LII-DC01 passed test Replications
      Starting test: RidManager
         ......................... LII-DC01 passed test RidManager
      Starting test: Services
         ......................... LII-DC01 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 01/07/2015   11:30:26
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         ......................... LII-DC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... LII-DC01 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : workforce
      Starting test: CheckSDRefDom
         ......................... workforce passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... workforce passed test CrossRefValidation

   Running enterprise tests on : workforce.wfs
      Starting test: LocatorCheck
         ......................... workforce.wfs passed test LocatorCheck
      Starting test: Intersite
         ......................... workforce.wfs passed test Intersite


Delegation looks good on the GPO i'm editing as well:

dele
Permissions have not changed on SYSVOL. I've also checked to see if it is read-only, it is.. but only for sub-files. Unchecking it makes no difference:

read

What's the cause of this? It is preventing us from deleting and editing GPO's.
0
Comment
Question by:meade470
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40536101
Have you been able to use remove-gpo from powershell to remove the group policy? Can you create new GPO's and Delete them? Is there a Deny permission somewhere in the hierarchy?

Another thing you might want to check is the Open Files on your PDC holder. Close any of the files that are opened related to your GPO you are trying to delete.

Will.
0
 
LVL 2

Author Comment

by:meade470
ID: 40536269
Tried doing it from powershell:

PS C:\Users\Administrator.WORKFORCE> Remove-GPO -Name 'WFS Domain-Wide Policy'
Remove-GPO : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Remove-GPO -Name 'WFS Domain-Wide Policy'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Remove-GPO], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.RemoveGpoCommand

Open in new window


Denied still. I can create new GPO's, but post creation.. can not delete them.

There is a DENY on Everyone for 'delete all child objects':

deny1
but that seems normal?

Closed all files, and the primary domain controller that holds the FSMO roles. Still same results.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40536367
Well as you probably already know this is definitly a permissions issue somewhere. Have you tried to go into the Advance section on the screenshot you have provided to ensure your account has proper permission? If you add yourself with full permissions then propagate permissions does this work?

You have permissions to create just not modify or delete.

Do you have any Active Directory auditing software which could help to see if someone changed permissions somewhere?

like AD Audit Plus

Will.
0
 
LVL 2

Author Comment

by:meade470
ID: 40537704
Will, you were right.

It was set to this:

2015-01-08-08-06-22-lii-dc02---Remote-De
and the DENY setting for Everyone was taking precedence.

Used the restore defaults:

2015-01-08-08-07-26-lii-dc02---Remote-De
to fix it. Now can delete/edit properly!
0

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now