Access Denied: Recovering Write Permissions to GPOs
If a malicious employee has changed GPO permissions to deny administrators write access, you can use the GUI to reset those permissions.
September 14, 2003
I'm taking over for an administrator who was fired. I can log on to the domain as Administrator, but I can't open the domain's Group Policy Objects (GPOs). When I select a GPO at the domain root or on an organizational unit's (OU's) Group Policy tab, the Edit button is disabled. I've checked group membership and everything else I can think of, but to no avail. What's the problem?
Your predecessor might have maliciously changed the permissions on the GPOs. In the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, select a GPO, click Properties (rather than Edit,) then click the Security tab. Typical GPO permissions give the Domain Admins group write access. But if you find that the previous administrator changed those permissions and denied Administrators write access, you can fix the problem.
Domain Admins can change permissions from the Properties window after they've been denied write access. Click the General tab and copy the GPO's globally unique identifier (GUID), which appears in the Unique name field, which Figure 1 shows. Close the Properties window, return to the Active Directory Users and Computers snap-in, and select the SystemPolicies folder. (If you don't see this folder, click View on the menu bar and select Advanced Features.) Active Directory (AD) stores GPOs in this folder. Look for the GUID that represents the GPO in question, right-click the associated file, and open its Properties sheet. Click the Security tab and correct the permissions. By default, Domain Admins and Enterprise Admins should have Read, Write, Create All Child Objects, and Delete All Child Objects access.
About the Author
You May Also Like