This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
i upgraded domain controller from windows server 2008 to 2012. i have two domain controllers. the first dri-ad fsmo holder and the secondary dri--dcro. the domain functional level is windows server 2012. i have problem with editing and deleting group policies from the group policy management. every time i recevied message access denied. in tab status i have unaccessable server like picture
i used next commands
icacls "{BE4C985C-5027-41DE-B775-8371CFC1E206}" /remove:g "dri\Domain Admins"
icacls "{BE4C985C-5027-41DE-B775-8371CFC1E206}" /grant "dri\Domain Admins":(OI)(CI)(F)
repadmin /syncall
repadmin /syncall /APed
on specific policy, but nothing
in AD users and computers in system>policies i checked permissions and domain admins has next permissions
enterprise domain admins has full permissions. my account is member of those groups. Also i noticed next permissions for everyone account
when remove on everyone deny permission i can delete policy from the group policy managment. how resolve ths problem.
i deleted the everyone group from old group policy objects and when i click on status tab on domain in the group policy management. i receive:
i tryed restore permissions on group policy object but everytime the permission are resetting
Hi @gogi100 ,
Have a look at this post on how to troubleshoot GPO permissions issues - https://nettools.net/gpo-explorer-gpo-test-details/
Gary.
i tested all group policy objects, all ok but the default domain policy has two problems:
If you have file mismatches, then the replication between the DCs could be an issue, try adding a test file to the policy and see if that is replicated, also check the event logs for errors and you might need to force a dfsr re-sync.
Gary.
try adding a test file to the policy and see if that is replicated
on the default domain policy that has a problem i add test file?
Yep and see if it gets replicated, if it's does replicated, run the test again and see if that fixes the problem.
Gary.
i tested default domain policy in the nettools and the error exists on default domain policy, but the other policies are ok.
DC: dri-ad.dri.local
GPO Name: Default Domain Policy
Created: 1/21/2011 1:57:42 PM
Changed: 11/1/2022 11:38:38 AM
DS Version: 1(user) \ 115(machine)
Sysvol Version: 1(user) \ 115(machine)
GP Status: 0
GPE Version: 2
User Extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine Extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Sysvol Path: \dri.local\sysvol\dri.local\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
DS User Object Count: 1
DS Machine Object Count: 1
SV User File Count: 10
SV User File Size: 10400
SV Machine File Count: 0
SV Machine File Size: 0
Applies to: S-1-5-11
S-1-5-21-3433641461-923192373-1833595427-515
DC: DRI-DCRO.dri.local
GPO Name: Default Domain Policy
Created: 1/21/2011 1:57:42 PM
Changed: 11/1/2022 11:38:53 AM
DS Version: 1(user) \ 115(machine)
Sysvol Version: 1(user) \ 115(machine)
GP Status: 0
GPE Version: 2
User Extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}]
Machine Extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}]
Sysvol Path: \dri.local\sysvol\dri.local\Policies{31B2F340-016D-11D2-945F-00C04FB984F9}
DS User Object Count: 1
DS Machine Object Count: 1
SV User File Count: 9
SV User File Size: 3330
SV Machine File Count: 0
SV Machine File Size: 0
Applies to: S-1-5-11
S-1-5-21-3433641461-923192373-1833595427-515
What happened when you added the test file to the policy and do you have any errors in the event log?
i resolved problem. i copied from the dri-ad sysvol/policies folder to the dri-dcro sysvol/policies manually. the problem expired. thank's