Access denied to save GPO

Hi Experts,

I am trying to modify password policy using my domain admin account but receiving the following error:

Access is denied. Failed to save \\domain.com\sysvol\domain.com\Policies\policynumber\Machine\Microsoft\WindowsNT\SecEdit\Gpt Tmpl.inf.Make sure that you have the right permissiones to this object.

I tried to follow the following link but it did not help. Please advise.

http://blogs.technet.com/b/matthewms/archive/2005/10/29/413275.aspx
ipsec600Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NinjaStyle82Systems AdministratorCommented:
What version of Windows are you on?
If 2003, check this: https://support.microsoft.com/en-us/kb/936483
0
ipsec600Author Commented:
Thanks Frank for your prompt reply, but I am using windows server 2008 R2 Data Center edition.
0
NinjaStyle82Systems AdministratorCommented:
does the domain admins group have write permissions to the policy?

Maybe try this:
1.      Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2.      In the Active Directory Users and Computers window, on the View menu, click Advanced Features.
3.      In the left pane, expand System, and then click Policies.
4.      In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
5.      Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
6.      In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
7.      On the File menu, click Exit to close the Active Directory Users and Computers window.
8.      Click Start, click Run, type explorer.exe, and then click OK.
9.      In Windows Explorer, locate and then click the following folder:
%SystemRoot%\SYSVOL\sysvol\DomainName\Policies
Note In this folder name, DomainName is the name of the domain.
10.      In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
11.      Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
12.      In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

ipsec600Author Commented:
Yes Domain admin group has got full permission, and I tried the above steps but still getting the same error. Event I tried with another domain admin account but still no luck.
0
NinjaStyle82Systems AdministratorCommented:
are any groups the domain admin is a member of explicitly denied on either of these locations?
0
ipsec600Author Commented:
I have checked every settings and did not notice any deny policy set to domain admin account, also I tried to manually add my domain admin account to that policy and security tab of Sysvol folder but still receiving the same error. I have assigned full access to my account to that policy and also in Sysvol folder.
One more thing I am trying to set access permission for my account to every single location manually but \\domain.com\sysvol\domain.com\Policies\policynumber\Machine\Microsoft\WindowsNT\SecEdit\Gpt Tmpl.inf

but while trying to add my domain account account to that folder "Gpt Tmpl.inf" receiving the following error as well:

"Unable to save permission changes on GptTmpl. Access is denied" Not sure is there any relation with this issue as well.
0
McKnifeCommented:
Run procmon and filter for result "access denied". It will tell you what is going on.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ipsec600Author Commented:
Thank you Guys for your support, and apology for replying late.

The issue is fixed now, I have opened a support ticket and MS and the guy run the procmon tool and identified the issue with permission and accordingly provided the appropriate rights on the default domain GUID from the sysvol.

As a case resolution shared with me the following article:

1.       http://technet.microsoft.com/en-us/library/cc787386(WS.10).aspx
2.       http://technet.microsoft.com/en-us/library/cc779838(WS.10).aspx
3.       http://technet.microsoft.com/en-us/library/cc787798(WS.10).aspx
4.       http://technet.microsoft.com/en-us/library/cc737508(WS.10).aspx
0
ipsec600Author Commented:
Thank you Guys for your support and details insight.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.