[gptalk] Re: GPO Delegation problems.

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 3 Dec 2007 06:54:17 -0800

You probably somehow removed all the permissions on the GPO. What you have
to do is take ownership of the GPC object in AD. So, first thing you need is
the GUID of the GPO in question. Since it's the DDP, its got a well-known
GUID, which makes it easy. The best way to do this is to bring up ADSIEdit,
and navigate to CN=Policies,CN=System in your domain. Then, on the right
hand-side, you will like see a container object that starts with
{31B.--That's the DDP. It will also likely look different than the other
containers in that folder because the permission issues cause it to not be
correctly viewed in ADSIEdit. What you need to do is right-click it, go into
Properties, Security,Advanced and take ownership of that object. Once you do
that, close the object and then re-open it and you should see at least
Administrators in the ACL. Once you've done that, then you can go back into
GPMC, into the Delegation tab for that GPO and modify the permissions as you
normally would.






From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mike Johnston
Sent: Saturday, December 01, 2007 8:39 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Delegation problems.


I don't know what I did or how to fix it... I hope someone here knows... lol

I was using the Group Policy Management Snap-in to modify the GPO for a
domain that I was working on and something happened.  I don't know what I 
changed, but now when I go down the "Default Domain Policy" I get an "Access
is Denied" message.  When I click on the "Delegations" tab it gives me that
same error and then the entire tab is just solid gray.  I've even tried 
logging in as the one Administrator account for the domain but I have the
same problem.  My account is a Domain Administrator, Enterprise
Administrator and Schema Admin.  I just want to know how I can gain back the

access for Domain Admins to delegate the policy.  I have no idea what I did
because I don't remember saying yes to anything that would cause this.  I'm
also very surprised the GPO would let me make a change like that also. 
Anyone have any ideas?  Thanks for the help! 

Other related posts: