We have 4 DC's all in the same site. With regard to the DC on which the edit was performed, that I don't know. I will test the permission thing though and get back to you because I thought that should work as well. Bob -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Mack Sent: Friday, September 03, 2004 4:27 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: GPO Permissions Hi Bob, "Should" work. :-( Try changing permissions on a policy and watch the policy folder permissions change accordingly. How many domain controllers do you have? Is dsa/gpedit connected to the same DC where you changed permissions? Regards, Rick Ulrich Mack Volante Systems 18 Heussler Terrace, Milton 4064 Queensland, Australia tel +61 7 32467704 rmack@xxxxxxxxxxxxxx -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Robert Barrett Sent: Friday, 3 September 2004 12:42 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: GPO Permissions I tried just changing the perms on the Sysvol copy of the GPO and it did not work. I will however, deny the apply setting in the future. Thanks for the reply. Bob Barrett FVSD#52 _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Mack Sent: Wednesday, September 01, 2004 6:20 PM To: thin@xxxxxxxxxxxxx Subject: RE: [THIN] GPO Permissions Hi Robert, The access permissions you're playing with are in large just file access permissions, at least when you deny access. If you look at the properties of your TS policy, will see it's get its unique "name", (eg {5BF1F1C5-31A7-4AA7-9F87-2A7ACAB64FFE}). Write down the first 5-6 digits. Now go to %logonserver%\sysvol\%your_AD_domain_name%\policies. You'll see a whole bunch of folders with what look like classids. Each one is a group policy in your domain. If you highlight the folder with the same name as your TS policy and look at its security properties, you'll be able to re-enable domain admin access. In future though, its far less dangerous to just to either untick the "Apply Group Policy" box or tick the deny "Apply Group Policy" box for user groups that don't want the policy applied. regards, Rick Ulrich Mack Volante Systems _____ From: thin-bounce@xxxxxxxxxxxxx on behalf of Robert Barrett Sent: Thu 2/09/2004 3:13 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] GPO Permissions Okay I think we have screwed up big time and I am hoping someone can help me fix it. We enabled loopback processing on the GPO for our TS boxes. To prevent the admins from getting the policy we denied permissions to the domain admins group. I had read somewhere that it was the way to prevent the policy from being applied to the admins. Anyway my worst fears were realized when I tried to edit said GPO, denied! Listed as inaccessible. Is there any way for me to reset the permissions and be able to edit this policy again without deleting it and starting over (not even sure I can delete it)? Help Robert Barrett MCSE, CCA Enterprise Administrator robertb@xxxxxxxxxx Phone: (780) 927-3766 Fax: (780) 926-3037 http://www.fvsd.ab.ca <http://www.fvsd.ab.ca/> ######################################################################## ############# This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this email has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this email is prohibited. If you have received it in error please notify the sender immediately by reply email and destroy all copies of this email and any attachments. All liability for direct and indirect loss arising from this email and any attachments is hereby disclaimed to the extent permitted by law. ######################################################################## ############# ######################################################################## ############# This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this email has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this email is prohibited. If you have received it in error please notify the sender immediately by reply email and destroy all copies of this email and any attachments. All liability for direct and indirect loss arising from this email and any attachments is hereby disclaimed to the extent permitted by law. ######################################################################## ############# ******************************************************** This Weeks Sponsor triCerat: Have you had your fill of printing support calls, unauthorized apps running on unsecured Terminal Servers, profile headaches, and application performance problems? Join us and learn how you can have a less demanding on-demand enterprise! http://www.tricerat.com/?page=ents#register ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm ******************************************************** This Weeks Sponsor triCerat: Have you had your fill of printing support calls, unauthorized apps running on unsecured Terminal Servers, profile headaches, and application performance problems? Join us and learn how you can have a less demanding on-demand enterprise! http://www.tricerat.com/?page=events#register ********************************************************** Useful Thin Client Computing Links are available at: http://thin.net/links.cfm *********************************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thin.net/citrixlist.cfm