JSI Tip 8872. When running GPMC on a Windows Server 2003 that you upgraded from Windows 2000, you receive 'The Enterprise Domain Controllers group does not have read access to this GPO'?
January 4, 2005
The GPMC (Group Policy Management Console) issues the following warming:
The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPOs in the domain in order for Group Policy Modeling to function properly. To learn more about this issue and how you can correct it, click Help.
When you upgrade a Windows 2000 server to Windows Server 2003, the Enterprise Domain Controllers group is NOT granted Read permission on the existing Group Policies.
NOTE: New Group Policies are properly ACLed.
To resolve this issue:
1. Open a CMD.EXE window.
2. Type cd /d "%programfiles%gpmcscripts" and press Enter.
3. Type Cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers" /Permission:Read /Domain:JSIINC.COM and press Enter, replacing JSIINC.COM with your domain.
4. You receive:
Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.Warning! By executing this script, all GPOs in the target domain will beupdated with the desired security setting.Both the Active Directory and Sysvol portions of the GPO will be updated.This will result in the Sysvol contents of every GPO being copied to allreplica domain controllers, and may cause excessive replication trafficin your domain.If you have slow network links or restricted bandwidth between your domaincontrollers, you should check the amount of data on the Sysvol that wouldbe replicated before performing this task.Do you want to proceed? [Y/N]
5. When you type Y, you receive information like:
Updated GPO 'Default Domain Policy' to 'Read' for Enterprise Domain ControllersUpdated GPO 'Default Domain Controllers Policy' to 'Read' for Enterprise Domain Controllers
About the Author
You May Also Like