The sysvol permissions for one or more GPOs on this domain controller are not in sync with the permissions for the GPOs on the baseline domain

David Pratama Budi Setiawan 1 Reputation point
2020-11-03T07:24:19.057+00:00

Hi we have a problem,
we have 8 DC (all DC is windows server 2016 , we change permission one of GPO in my primary dc, but in gpmc we see error in acl permission , this is my screenshoot 37082-image.png

when we click detect now 8 DC just in progress, anyone can help? maybe anyone know to solve this problem?

Thanks

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,482 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,417 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Jiří Pavlica 6 Reputation points
    2021-07-05T21:47:04.31+00:00

    Hi,

    this issue has happened to me as well, the problem disappeared after the domain controllers were restarted due to maintenance. Or at least you can try to restart DFS and DFSR services as the issue relates to GPO ACLs not replicating to other domain controllers.

    Another reason of ACLs not in sync can be a bug where Domain Admins ACEs are duplicated on GPOs. If the GPOs were created earlier before this was fixed by Microsoft, their duplicate ACEs are unchanged.

    In case you see duplicite ACE "Domain Admins":(OI)(CI)(F)" in your GPO using icacls command, you can fix it be removing ACE and granting it again:

    icacls "{GPO UID}" /remove:g "<localdomain>\Domain Admins"
    icacls "{GPO UID}" /grant "<localdomain>\Domain Admins":(OI)(CI)(F)

    More information on this: https://social.technet.microsoft.com/Forums/ie/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016

    1 person found this answer helpful.
    0 comments No comments

  2. Thameur-BOURBITA 32,831 Reputation points
    2020-11-03T11:38:29.977+00:00

    Hi,

    If the new ACLs are not replicated on all domain controllers, you can perform a non-authoritative restore for sysvol replication.

    force-authoritative-non-authoritative-synchronization

    Please don't forget to mark this reply as answer if it help your to fix your issue


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.