?
Solved

GPO Access denied in AD

Posted on 2016-10-05
12
Medium Priority
?
96 Views
Last Modified: 2016-10-06
Hello, I have a windows 2008 SBS server and I get GPO Access Denied wihen I try to open the group policy.  I am logged in as the Domain Administrator.

When I am in the GPO application I can see the delegation and it looks like all the other GPOs that I can access.  It shows Domain Admins as FULL control

I used dsacls to give access to domain admins and enterprise domains

What else can I do to get access?
0
Comment
Question by:tucktech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
12 Comments
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41829950
If you run gpresult /h C:\gpreport.html will you see any reason for the GPO Access denied?
Can you upload gpreport.html for us?

Or you can't open Group Policy Management Console (GPMC)? I think you also installed MS16-072 \ KB3163622?
Note by default that the “Authenticated Users” must have “Read” and “Apply Group Policy” on all Group Policy Objects in an Active Directory Domain.
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
0
 

Author Comment

by:tucktech
ID: 41830214
see upload....
gpreporta.html
0
 
LVL 6

Accepted Solution

by:
sAMAccountName earned 2000 total points
ID: 41830459
Make sure you run it from an "Administrator" powershell
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41830671
@tucktech
Do you use security filtering in GPO's?
0
 

Author Comment

by:tucktech
ID: 41831038
sAMAccountName, run "what" from powershell?

hopeleonie, did you see attachment I sent?
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41831275
@tucktech
Yes and we see:
Access Denied (Security Filtering)

Do you want it so?
0
 

Author Comment

by:tucktech
ID: 41831541
no, I don't believe so...   I want to get access through domain administrator and I want the policies to apply some should be filtered (If I am understanding correctly not applied to every system) but I should have access to make changes.
0
 
LVL 19

Expert Comment

by:*** Hopeleonie ***
ID: 41831822
Check Security Filtering in the following GPO's:

- Update Services Server Computers Policy
- Update Services Client Computers Policy
- Windows SBS User Policy

http://tutorial.programming4.us/image/1103/Elements%20of%20Group%20Policy_5.jpg

Also check WMI Filtering in the following GPO's:
- Windows SBS CSE Policy

https://robertpearman.files.wordpress.com/2011/08/44.png
0
 

Author Comment

by:tucktech
ID: 41832066
Hello hopeleonie,

Here is what I have under the Security Filtering Sections:
 Update Services Server Computers Policy
               - Servers listed
     
- Update Services Client Computers Policy
               - Security filtering for Authenticated Users and a lot of computers listed...

- Windows SBS User Policy
              - specific user (administrator ID that is not used)
0
 

Author Comment

by:tucktech
ID: 41832078
Oh..
 - Windows SBS User Policy
    shows "Windows SBS Client",  under the WMI Filtering

When I click on the button in the WMI Filtering section it shows
   Windows SBS CSE Policy
  Windows SBS User Policy
0
 

Author Closing Comment

by:tucktech
ID: 41832098
I right clicked on Group Policy Management and "ran as administrator" and I had access.  Yahoo!
0
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41832211
@tucktech:

Sorry for not being clearer on my suggestion.  I just saw you had asked for clarification.  Glad you found a solution!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Here's a look at newsworthy articles and community happenings during the last month.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question