Access Denied When Trying to Add/Modify GPOs as Domain Admin in Windows Server 2008 R2

PIMSupport
PIMSupport used Ask the Experts™
on
Hello, I'm running into a strange issue where I am trying to add a group policy object in Windows Server 2008 R2 as the domain admnistrator, but it fails with an access denied message. I also tried modifying an existing GPO to see what happens, and get the same error. We have two DCs, and the error happens no matter which one I try it from. I have verified the following so far based on what I've read about this issue:

- Delegation permissions for the domain in Group Policy is set to "Allow" on all items for the Domain Admins group.
- File and folder permissions on the SYSVOL folder and subfolders are set to "Full Control" for Domain Admins.
- File replication is working between both DCs.
- I've adjusted our antivirus (Webroot) to try and prevent it from interfering with SYSVOL.

At this point, I'm not sure what else I can check to try and get this working.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kevin StanushApplication Developer

Commented:
What tool are you using to perform this action?  Nearly any Windows client that has UAC turned on may require that you run any application "As Administrator" (right click menu, or Shift-right click menu) in order to get full admin rights, regardless of the account you are logged on with.
Tom CieslikIT Engineer
Distinguished Expert 2017

Commented:
Open you GP Management
Under your domain / Group Policy Object check DELEGATION tab and make sure Domain Admins are listed.
Enable logging for the GPMC/GPEdit:
https://blogs.technet.microsoft.com/askds/2015/04/17/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis/

Scroll down to GPEDIT – Group Policy Editor Console Debug Logging and GPMC – Group Policy Management Console Debug Logging

Author

Commented:
I tried to enable logging before I wrote this post, but couldn't get it working. However, I was able to do it this time, and that allowed me to trace out the error. It looks like the permissions I adjusted on the SYSVOL folder on one of the servers didn't take, and that prevented it from creating the new folder for the GPO on that server. I was able to correct that and get this working.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial