Access Denied When Trying to Add/Modify GPOs as Domain Admin in Windows Server 2008 R2

Hello, I'm running into a strange issue where I am trying to add a group policy object in Windows Server 2008 R2 as the domain admnistrator, but it fails with an access denied message. I also tried modifying an existing GPO to see what happens, and get the same error. We have two DCs, and the error happens no matter which one I try it from. I have verified the following so far based on what I've read about this issue:

- Delegation permissions for the domain in Group Policy is set to "Allow" on all items for the Domain Admins group.
- File and folder permissions on the SYSVOL folder and subfolders are set to "Full Control" for Domain Admins.
- File replication is working between both DCs.
- I've adjusted our antivirus (Webroot) to try and prevent it from interfering with SYSVOL.

At this point, I'm not sure what else I can check to try and get this working.
PIMSupportAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kevin StanushApplication DeveloperCommented:
What tool are you using to perform this action?  Nearly any Windows client that has UAC turned on may require that you run any application "As Administrator" (right click menu, or Shift-right click menu) in order to get full admin rights, regardless of the account you are logged on with.
0
Tom CieslikIT EngineerCommented:
Open you GP Management
Under your domain / Group Policy Object check DELEGATION tab and make sure Domain Admins are listed.
0
Michael PfisterCommented:
Enable logging for the GPMC/GPEdit:
https://blogs.technet.microsoft.com/askds/2015/04/17/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis/

Scroll down to GPEDIT – Group Policy Editor Console Debug Logging and GPMC – Group Policy Management Console Debug Logging
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PIMSupportAuthor Commented:
I tried to enable logging before I wrote this post, but couldn't get it working. However, I was able to do it this time, and that allowed me to trace out the error. It looks like the permissions I adjusted on the SYSVOL folder on one of the servers didn't take, and that prevented it from creating the new folder for the GPO on that server. I was able to correct that and get this working.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.