AD Group Policy Object permissions problems

We have a number of incidents where people cannot amend group policies that they did not create (in a Windows Server 2012 domain).

On these objects, edit is greyed out, even when signed in as a domain administrator.

We are also aiming to give group policy permissions by Active Directory group as opposed to individual users.

I am wondering if there is a specific permission that I can give to the AD group in question that will allow them to edit all group policy objects without having to go through and manually change the permissions on individual objects.

Failing that, is there a quick way to change the permissions across the board and also to set it so those permissions are given as standard when new objects are created?

I appreciate any insight into this problem.


Jon
FriendlyITInfrastructure TeamAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ayoub RouziCeo & CoFounderCommented:
The fix actually quite straight forward, all you need to is give your self permissions to the AD properties for the Group Policy and the actual directory where the policies are stored.  I borrowed the steps from KB884884.

  • 1.      Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  • 2.      In the Active Directory Users and Computers window, on the View menu, click Advanced Features.
  • 3.      In the left pane, expand System, and then click Policies.
  • 4.      In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
  • 5.      Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
  • Note You may click Add to add a group or a user if the user or group is not in the Group or user names list.
  • 6.      In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
  • 7.      On the File menu, click Exit to close the Active Directory Users and Computers window.
  • 8.      Click Start, click Run, type explorer.exe, and then click OK.
  • 9.      In Windows Explorer, locate and then click the following folder:
  • %SystemRoot%\SYSVOL\sysvol\DomainName\Policies
  • Note In this folder name, DomainName is the name of the domain.
  • 10.      In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
  • 11.      Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
  • Note You may click Add to add a group or a user if the user or group is not in the Group or user names list.
  • 12.      In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
  • 13.      Close Windows Explorer.

This should fix the problem. If not, please check this link.
0
Shaun VermaakTechnical Specialist IVCommented:
Set the desired permission with Powershell
Import-Module GroupPolicy
$grp = "YourGroupHere"
$level = "GpoEditDeleteModifySecurity"
$gpos = get-gpo -All
foreach ($gpo in $gpos)
{
	$gpname = $gpo.DisplayName	
	set-GPPermissions -Name $gpname -permissionlevel $level -TargetName $grp -targettype Group
}

Open in new window

2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FriendlyITInfrastructure TeamAuthor Commented:
Thanks Shaun - that Powershell was perfect for the current policies and I will keep a note of it for the future.

Unfortunately Ayoub on the other hand, did not answer the question properly - it clearly states that this is a 2012 domain whereas he just word for word copy and pasted something from this page -

https://blogs.technet.microsoft.com/matthewms/2005/10/29/group-policies-and-access-denied/ 

This information actually related to Server 2003 and wasn't relevant in this case.  A really lazy answer!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.