I have taken over administration of a Windows 2008 R2 domain and something I have noticed is that in group policies there are 3 policies that say Inaccessible and have a no entry sign over the icons for them. It says This GPO is inaccessible because you
do not have read-level permission on it.
However I am logged onto the domain controller as the domain Admin and still getting that error. I have tried logging onto the server as every other user that has access to log onto the server but still getting that same message. Also tried accessing it from
a user computer logged on as a admin.
Is there any way I can see which user would have access to these GPO's? Or is there a way I can take ownership of them?
Group policy Inaccessible
August 8th, 2012 1:42pm
Following discussion might help
Diagnosing why a Group Policy Object is inaccessible
http://serverfault.com/questions/224357/diagnosing-why-a-group-policy-object-is-inaccessible
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 3:22pm
I tried changing the permissions using ADSI edit. However no difference.
I did manage to get 1 of the policies to show in GPMC though by going into the SYSvol\domain\policies and setting the permissions to give me access there. The one that worked did give me a access denied message but then after I clicked ok it went though. However the rest of the inaccessible ones are not following suit and just say access denied when I try change the folder permissions.
August 8th, 2012 4:10pm
I tried changing the permissions using ADSI edit. However no difference.
I did manage to get 1 of the policies to show in GPMC though by going into the SYSvol\domain\policies and setting the permissions to give me access there. The one that worked did give me a access denied message but then after I clicked ok it went though. However the rest of the inaccessible ones are not following suit and just say access denied when I try change the folder permissions.
An excerpt from the link mentioned above...
If ADSIEDIT won't allow you to modify the permissions (probably displaying an oddball error message like "An invalid directory pathname was passed") then likely someone placed a "Deny / Full Control" permission onto the object. The dsacls command with the arguments CN=GUID-OF-THE-PROBLEMATIC-GPO,CN=Policies,CN=System,DC=your,DC=domain,DC=com will report the permissions. Search for the errant "Deny" and "FULL CONTROL" entry and use the /R user-or-group-namme parameter on dsacls to remove the permissions associated with that user or group. If it's really messed up then you'll probably have to use the Windows Server 2008 ADAM / AD LDS version of dscals with the /takeownership argument to take ownership of the object).
Free Windows Admin Tool Kit Click here and download it now
August 8th, 2012 4:15pm
Hi Santosh,
Thanks for the work around. It worked for me..
Really great.
March 17th, 2015 3:36am
This really worked for me...
Thanks.
An excerpt from the link mentioned above...
If ADSIEDIT won't allow you to modify the permissions (probably displaying an oddball error message like "An invalid directory pathname was passed") then likely someone placed a "Deny / Full Control" permission onto the object. The dsacls command with the arguments CN=GUID-OF-THE-PROBLEMATIC-GPO,CN=Policies,CN=System,DC=your,DC=domain,DC=com will report the permissions. Search for the errant "Deny" and "FULL CONTROL" entry and use the /R user-or-group-namme parameter on dsacls to remove the permissions associated with that user or group. If it's really messed up then you'll probably have to use the Windows Server 2008 ADAM / AD LDS version of dscals with the /takeownership argument to take ownership of the object).
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2015 3:37am
This topic is archived. No further replies will be accepted.
Other recent topics
