?
Solved

Access denied when editing/deleting group policy in server 2012 R2 domain

Posted on 2015-01-07
4
Medium Priority
?
3,397 Views
Last Modified: 2015-01-08
When attempting to delete or edit a Group Policy using the GPMC snap-in, I'm seeing:

denied
I'm using a privileged user (Administrator, domain wide account), the forest and domain function levels are at 2012 R2 and replication is working as designed:

PS C:\Users\Administrator.WORKFORCE> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = lii-dc01
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Livonia\LII-DC01
      Starting test: Connectivity
         ......................... LII-DC01 passed test Connectivity

Doing primary tests

   Testing server: Livonia\LII-DC01
      Starting test: Advertising
         ......................... LII-DC01 passed test Advertising
      Starting test: FrsEvent
         ......................... LII-DC01 passed test FrsEvent
      Starting test: DFSREvent
         ......................... LII-DC01 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... LII-DC01 passed test SysVolCheck
      Starting test: KccEvent
         ......................... LII-DC01 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... LII-DC01 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... LII-DC01 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... LII-DC01 passed test NCSecDesc
      Starting test: NetLogons
         ......................... LII-DC01 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... LII-DC01 passed test ObjectsReplicated
      Starting test: Replications
         ......................... LII-DC01 passed test Replications
      Starting test: RidManager
         ......................... LII-DC01 passed test RidManager
      Starting test: Services
         ......................... LII-DC01 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000271A
            Time Generated: 01/07/2015   11:30:26
            Event String:
            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.
         ......................... LII-DC01 failed test SystemLog
      Starting test: VerifyReferences
         ......................... LII-DC01 passed test VerifyReferences


   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : workforce
      Starting test: CheckSDRefDom
         ......................... workforce passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... workforce passed test CrossRefValidation

   Running enterprise tests on : workforce.wfs
      Starting test: LocatorCheck
         ......................... workforce.wfs passed test LocatorCheck
      Starting test: Intersite
         ......................... workforce.wfs passed test Intersite


Delegation looks good on the GPO i'm editing as well:

dele
Permissions have not changed on SYSVOL. I've also checked to see if it is read-only, it is.. but only for sub-files. Unchecking it makes no difference:

read

What's the cause of this? It is preventing us from deleting and editing GPO's.
0
Comment
Question by:meade470
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40536101
Have you been able to use remove-gpo from powershell to remove the group policy? Can you create new GPO's and Delete them? Is there a Deny permission somewhere in the hierarchy?

Another thing you might want to check is the Open Files on your PDC holder. Close any of the files that are opened related to your GPO you are trying to delete.

Will.
0
 
LVL 2

Author Comment

by:meade470
ID: 40536269
Tried doing it from powershell:

PS C:\Users\Administrator.WORKFORCE> Remove-GPO -Name 'WFS Domain-Wide Policy'
Remove-GPO : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
At line:1 char:1
+ Remove-GPO -Name 'WFS Domain-Wide Policy'
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Remove-GPO], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.GroupPolicy.Commands.RemoveGpoCommand

Open in new window


Denied still. I can create new GPO's, but post creation.. can not delete them.

There is a DENY on Everyone for 'delete all child objects':

deny1
but that seems normal?

Closed all files, and the primary domain controller that holds the FSMO roles. Still same results.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40536367
Well as you probably already know this is definitly a permissions issue somewhere. Have you tried to go into the Advance section on the screenshot you have provided to ensure your account has proper permission? If you add yourself with full permissions then propagate permissions does this work?

You have permissions to create just not modify or delete.

Do you have any Active Directory auditing software which could help to see if someone changed permissions somewhere?

like AD Audit Plus

Will.
0
 
LVL 2

Author Comment

by:meade470
ID: 40537704
Will, you were right.

It was set to this:

2015-01-08-08-06-22-lii-dc02---Remote-De
and the DENY setting for Everyone was taking precedence.

Used the restore defaults:

2015-01-08-08-07-26-lii-dc02---Remote-De
to fix it. Now can delete/edit properly!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question