I tried just changing the perms on the Sysvol copy of the GPO and it did not work. I will however, deny the apply setting in the future. Thanks for the reply. Bob Barrett FVSD#52 ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Mack Sent: Wednesday, September 01, 2004 6:20 PM To: thin@xxxxxxxxxxxxx Subject: RE: [THIN] GPO Permissions Hi Robert, The access permissions you're playing with are in large just file access permissions, at least when you deny access. If you look at the properties of your TS policy, will see it's get its unique "name", (eg {5BF1F1C5-31A7-4AA7-9F87-2A7ACAB64FFE}). Write down the first 5-6 digits. Now go to %logonserver%\sysvol\%your_AD_domain_name%\policies. You'll see a whole bunch of folders with what look like classids. Each one is a group policy in your domain. If you highlight the folder with the same name as your TS policy and look at its security properties, you'll be able to re-enable domain admin access. In future though, its far less dangerous to just to either untick the "Apply Group Policy" box or tick the deny "Apply Group Policy" box for user groups that don't want the policy applied. regards, Rick Ulrich Mack Volante Systems ________________________________ From: thin-bounce@xxxxxxxxxxxxx on behalf of Robert Barrett Sent: Thu 2/09/2004 3:13 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] GPO Permissions Okay I think we have screwed up big time and I am hoping someone can help me fix it. We enabled loopback processing on the GPO for our TS boxes. To prevent the admins from getting the policy we denied permissions to the domain admins group. I had read somewhere that it was the way to prevent the policy from being applied to the admins. Anyway my worst fears were realized when I tried to edit said GPO, denied! Listed as inaccessible. Is there any way for me to reset the permissions and be able to edit this policy again without deleting it and starting over (not even sure I can delete it)? Help Robert Barrett MCSE, CCA Enterprise Administrator robertb@xxxxxxxxxx Phone: (780) 927-3766 Fax: (780) 926-3037 http://www.fvsd.ab.ca <http://www.fvsd.ab.ca/> ######################################################################## ############# This e-mail, including all attachments, may be confidential or privileged. Confidentiality or privilege is not waived or lost because this email has been sent to you in error. If you are not the intended recipient any use, disclosure or copying of this email is prohibited. If you have received it in error please notify the sender immediately by reply email and destroy all copies of this email and any attachments. All liability for direct and indirect loss arising from this email and any attachments is hereby disclaimed to the extent permitted by law. ######################################################################## #############