Link to home
Start Free TrialLog in
Avatar of FriendlyIT
FriendlyITFlag for United Kingdom of Great Britain and Northern Ireland

asked on

AD Group Policy Object permissions problems

We have a number of incidents where people cannot amend group policies that they did not create (in a Windows Server 2012 domain).

On these objects, edit is greyed out, even when signed in as a domain administrator.

We are also aiming to give group policy permissions by Active Directory group as opposed to individual users.

I am wondering if there is a specific permission that I can give to the AD group in question that will allow them to edit all group policy objects without having to go through and manually change the permissions on individual objects.

Failing that, is there a quick way to change the permissions across the board and also to set it so those permissions are given as standard when new objects are created?

I appreciate any insight into this problem.


Jon
Avatar of Ayoub Rouzi
Ayoub Rouzi
Flag of France image
The fix actually quite straight forward, all you need to is give your self permissions to the AD properties for the Group Policy and the actual directory where the policies are stored.  I borrowed the steps from KB884884.

  • 1.      Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • 2.      In the Active Directory Users and Computers window, on the View menu, click Advanced Features.
  • 3.      In the left pane, expand System, and then click Policies.
  • 4.      In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
  • 5.      Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
  • Note You may click Add to add a group or a user if the user or group is not in the Group or user names list.
  • 6.      In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
  • 7.      On the File menu, click Exit to close the Active Directory Users and Computers window.
  • 8.      Click Start, click Run, type explorer.exe, and then click OK.
  • 9.      In Windows Explorer, locate and then click the following folder:
  • %SystemRoot%\SYSVOL\sysvol\DomainName\Policies
  • Note In this folder name, DomainName is the name of the domain.
  • 10.      In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
  • 11.      Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
  • Note You may click Add to add a group or a user if the user or group is not in the Group or user names list.
  • 12.      In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
  • 13.      Close Windows Explorer.

This should fix the problem. If not, please check this link.
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of FriendlyIT
FriendlyIT
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Thanks Shaun - that Powershell was perfect for the current policies and I will keep a note of it for the future.

Unfortunately Ayoub on the other hand, did not answer the question properly - it clearly states that this is a 2012 domain whereas he just word for word copy and pasted something from this page -

https://blogs.technet.microsoft.com/matthewms/2005/10/29/group-policies-and-access-denied/ 

This information actually related to Server 2003 and wasn't relevant in this case.  A really lazy answer!