JSI Tip 3823. Domain Administrators group fails to open a Group Policy Object?

A member of the Domain Administrators group receives the following error when they try to open a GPO:

Inaccessible GPO - Access Denied..

If you try to open the Properties of the GPO, you receive:

Group Policy Error:
Failed to open the Group Policy Object. You may not have appropriate rights.

The above errors indicate that the Domain Administrators group has been denied access to the GPO.

If no group has permissions, you will need to restore from a backup. If an account has permission:

1. Logon with an account that has the permission to restore the permissions to the GPO.

2. Run ADSIEdit.msc on the PDC emulator.

NOTE: To find the PDC emulator, use Active Directory Users and Computers to right-click the domain and press Operations Masters and select the PDC tab.

NOTE: Install the Windows 2000 Support Tools from the SupportTools folder on the Windows 2000 Server CD-ROM on the PDC emulator.

3. In ADSIEdit, press Domain NC. Expand the domain through CN=System and CN=Policies. The right hand pane lists the GUIDs for the the GPOs in the domain.

4. The restricted policy is displayed with a Notepad icon, instead of a folder icon. Record the the distinguished name, like cn={f5e14b83-0181-437e-878c-8d16cb945d68},cn=policies,cn=system,dc=jsiinc,dc=com.

5. Use DSACLS to remove the Deny Access permission:

    dsacls cn={f5e14b83-0181-437e-878c-8d16cb945d68},cn=policies,cn=system,dc=jsiinc,dc=com /R "jsiincDomain Admins"

6. Use Windows Explorer on the PDC emulator to navigate to the %Systemroot%SysvolSysvolDomain_namePolicies folder.

7. Right-click the GUID for the restricted GPO and press Properties. On the Security tab, grant the Domain Administrators group Full Control. Make sure that the subfolders are properly set.

8. Log off.

9. Log on as a member of the Domain Administrators group and open/edit the previously restricted GPO.