Link to home
Start Free TrialLog in
Avatar of PIMSupport

asked on

Access Denied When Trying to Add/Modify GPOs as Domain Admin in Windows Server 2008 R2

Hello, I'm running into a strange issue where I am trying to add a group policy object in Windows Server 2008 R2 as the domain admnistrator, but it fails with an access denied message. I also tried modifying an existing GPO to see what happens, and get the same error. We have two DCs, and the error happens no matter which one I try it from. I have verified the following so far based on what I've read about this issue:

- Delegation permissions for the domain in Group Policy is set to "Allow" on all items for the Domain Admins group.
- File and folder permissions on the SYSVOL folder and subfolders are set to "Full Control" for Domain Admins.
- File replication is working between both DCs.
- I've adjusted our antivirus (Webroot) to try and prevent it from interfering with SYSVOL.

At this point, I'm not sure what else I can check to try and get this working.
Avatar of Kevin Stanush
Kevin Stanush
Flag of United States of America image

What tool are you using to perform this action?  Nearly any Windows client that has UAC turned on may require that you run any application "As Administrator" (right click menu, or Shift-right click menu) in order to get full admin rights, regardless of the account you are logged on with.
Avatar of Tom Cieslik
Open you GP Management
Under your domain / Group Policy Object check DELEGATION tab and make sure Domain Admins are listed.
Avatar of Michael Pfister
Michael Pfister
Flag of Germany image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of PIMSupport


I tried to enable logging before I wrote this post, but couldn't get it working. However, I was able to do it this time, and that allowed me to trace out the error. It looks like the permissions I adjusted on the SYSVOL folder on one of the servers didn't take, and that prevented it from creating the new folder for the GPO on that server. I was able to correct that and get this working.