We help IT Professionals succeed at work.

Access Denied When Trying to Add/Modify GPOs as Domain Admin in Windows Server 2008 R2

Last Modified: 2018-05-24
Hello, I'm running into a strange issue where I am trying to add a group policy object in Windows Server 2008 R2 as the domain admnistrator, but it fails with an access denied message. I also tried modifying an existing GPO to see what happens, and get the same error. We have two DCs, and the error happens no matter which one I try it from. I have verified the following so far based on what I've read about this issue:

- Delegation permissions for the domain in Group Policy is set to "Allow" on all items for the Domain Admins group.
- File and folder permissions on the SYSVOL folder and subfolders are set to "Full Control" for Domain Admins.
- File replication is working between both DCs.
- I've adjusted our antivirus (Webroot) to try and prevent it from interfering with SYSVOL.

At this point, I'm not sure what else I can check to try and get this working.
Watch Question

Kevin StanushApplication Developer

What tool are you using to perform this action?  Nearly any Windows client that has UAC turned on may require that you run any application "As Administrator" (right click menu, or Shift-right click menu) in order to get full admin rights, regardless of the account you are logged on with.
Tom CieslikIT Superintendent
Distinguished Expert 2017

Open you GP Management
Under your domain / Group Policy Object check DELEGATION tab and make sure Domain Admins are listed.
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)


I tried to enable logging before I wrote this post, but couldn't get it working. However, I was able to do it this time, and that allowed me to trace out the error. It looks like the permissions I adjusted on the SYSVOL folder on one of the servers didn't take, and that prevented it from creating the new folder for the GPO on that server. I was able to correct that and get this working.