Avatar of PIMSupport
 asked on

Access Denied When Trying to Add/Modify GPOs as Domain Admin in Windows Server 2008 R2

Hello, I'm running into a strange issue where I am trying to add a group policy object in Windows Server 2008 R2 as the domain admnistrator, but it fails with an access denied message. I also tried modifying an existing GPO to see what happens, and get the same error. We have two DCs, and the error happens no matter which one I try it from. I have verified the following so far based on what I've read about this issue:

- Delegation permissions for the domain in Group Policy is set to "Allow" on all items for the Domain Admins group.
- File and folder permissions on the SYSVOL folder and subfolders are set to "Full Control" for Domain Admins.
- File replication is working between both DCs.
- I've adjusted our antivirus (Webroot) to try and prevent it from interfering with SYSVOL.

At this point, I'm not sure what else I can check to try and get this working.
Windows Server 2008Active Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon
Kevin Stanush

What tool are you using to perform this action?  Nearly any Windows client that has UAC turned on may require that you run any application "As Administrator" (right click menu, or Shift-right click menu) in order to get full admin rights, regardless of the account you are logged on with.
Tom Cieslik

Open you GP Management
Under your domain / Group Policy Object check DELEGATION tab and make sure Domain Admins are listed.
Michael Pfister

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

I tried to enable logging before I wrote this post, but couldn't get it working. However, I was able to do it this time, and that allowed me to trace out the error. It looks like the permissions I adjusted on the SYSVOL folder on one of the servers didn't take, and that prevented it from creating the new folder for the GPO on that server. I was able to correct that and get this working.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes