AD Group Policy Object permissions problems

We have a number of incidents where people cannot amend group policies that they did not create (in a Windows Server 2012 domain).

On these objects, edit is greyed out, even when signed in as a domain administrator.

We are also aiming to give group policy permissions by Active Directory group as opposed to individual users.

I am wondering if there is a specific permission that I can give to the AD group in question that will allow them to edit all group policy objects without having to go through and manually change the permissions on individual objects.

Failing that, is there a quick way to change the permissions across the board and also to set it so those permissions are given as standard when new objects are created?

I appreciate any insight into this problem.


Jon
FriendlyITAsked:
Who is Participating?
 
Shaun VermaakConnect With a Mentor Technical Specialist/DeveloperCommented:
Set the desired permission with Powershell
Import-Module GroupPolicy
$grp = "YourGroupHere"
$level = "GpoEditDeleteModifySecurity"
$gpos = get-gpo -All
foreach ($gpo in $gpos)
{
	$gpname = $gpo.DisplayName	
	set-GPPermissions -Name $gpname -permissionlevel $level -TargetName $grp -targettype Group
}

Open in new window

2
 
Ayoub RouziCeo & CoFounderCommented:
The fix actually quite straight forward, all you need to is give your self permissions to the AD properties for the Group Policy and the actual directory where the policies are stored.  I borrowed the steps from KB884884.

  • 1.      Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • 2.      In the Active Directory Users and Computers window, on the View menu, click Advanced Features.
  • 3.      In the left pane, expand System, and then click Policies.
  • 4.      In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
  • 5.      Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
  • Note You may click Add to add a group or a user if the user or group is not in the Group or user names list.
  • 6.      In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
  • 7.      On the File menu, click Exit to close the Active Directory Users and Computers window.
  • 8.      Click Start, click Run, type explorer.exe, and then click OK.
  • 9.      In Windows Explorer, locate and then click the following folder:
  • %SystemRoot%\SYSVOL\sysvol\DomainName\Policies
  • Note In this folder name, DomainName is the name of the domain.
  • 10.      In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
  • 11.      Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
  • Note You may click Add to add a group or a user if the user or group is not in the Group or user names list.
  • 12.      In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
  • 13.      Close Windows Explorer.

This should fix the problem. If not, please check this link.
0
 
FriendlyITAuthor Commented:
Thanks Shaun - that Powershell was perfect for the current policies and I will keep a note of it for the future.

Unfortunately Ayoub on the other hand, did not answer the question properly - it clearly states that this is a 2012 domain whereas he just word for word copy and pasted something from this page -

https://blogs.technet.microsoft.com/matthewms/2005/10/29/group-policies-and-access-denied/ 

This information actually related to Server 2003 and wasn't relevant in this case.  A really lazy answer!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.