[gptalk] Re: GPO Delegation problems.

  • From: "Mike Johnston" <mijohnst@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 5 Dec 2007 10:07:13 -0600

Thanks for the help Darren!  I'm going go try this out and I'll let you know
the outcome... :)

On Dec 3, 2007 8:54 AM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:

>  You probably somehow removed all the permissions on the GPO. What you
> have to do is take ownership of the GPC object in AD. So, first thing you
> need is the GUID of the GPO in question. Since it's the DDP, its got a
> well-known GUID, which makes it easy. The best way to do this is to bring up
> ADSIEdit, and navigate to CN=Policies,CN=System in your domain. Then, on the
> right hand-side, you will like see a container object that starts with
> {31B…--That's the DDP. It will also likely look different than the other
> containers in that folder because the permission issues cause it to not be
> correctly viewed in ADSIEdit. What you need to do is right-click it, go into
> Properties, Security,Advanced and take ownership of that object. Once you do
> that, close the object and then re-open it and you should see at least
> Administrators in the ACL. Once you've done that, then you can go back into
> GPMC, into the Delegation tab for that GPO and modify the permissions as you
> normally would.
> HTH,
> Darren
> *From:* gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Mike Johnston
> *Sent:* Saturday, December 01, 2007 8:39 PM
> *To:* gptalk@xxxxxxxxxxxxx
> *Subject:* [gptalk] GPO Delegation problems.
> I don't know what I did or how to fix it... I hope someone here knows...
> lol
> I was using the Group Policy Management Snap-in to modify the GPO for a
> domain that I was working on and something happened.  I don't know what I
> changed, but now when I go down the "Default Domain Policy" I get an
> "Access
> is Denied" message.  When I click on the "Delegations" tab it gives me
> that
> same error and then the entire tab is just solid gray.  I've even tried
> logging in as the one Administrator account for the domain but I have the
> same problem.  My account is a Domain Administrator, Enterprise
> Administrator and Schema Admin.  I just want to know how I can gain back
> the
> access for Domain Admins to delegate the policy.  I have no idea what I
> did
> because I don't remember saying yes to anything that would cause this.
>  I'm
> also very surprised the GPO would let me make a change like that also.
> Anyone have any ideas?  Thanks for the help!

Other related posts: