Share via

Admin users unable to edit GPOs on the domain

HUGHES, RYAN 0 Reputation points
2025-10-22T09:20:24.0166667+00:00

I have some admin users who are unable to edit GPO settings. I have delegated the correct rights to them in GPM console, and confirmed this on the SYSVOL/Policies folder. I have also manually added them to have full edit rights on the individual GPOs they need.

Troubleshooting so far:

  1. Delegated rights from ADUC to allow modification of policy objects
  2. Provided full rights to enable the modification on each GPO
  3. Checked advanced permissions via sysvol/policies and confirmed as expected

I have some error messages too, mainly access denied errors.

I have also confirmed there are no replication issues or significant lag between sites, so I can rule that out too.

Any help would be greatly appreciated!

Windows for business | Windows Server | Directory services | Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joseph Tran 3,885 Reputation points Independent Advisor
    2025-10-22T10:01:12.5566667+00:00

    Hi, There

    As I knew, if your admins still get Access Denied editing GPOs after delegation, it’s usually one of these:

    • Editing the wrong DC: GPMC writes to the PDC Emulator. In GPMC: Domain > Right-click > Change Domain Controller > select the PDC. From their PC, make sure they can open \\<PDC>\SYSVOL\<domain>\Policies\{GPO-GUID}.
    • Missing the right permission level: Give them “Edit settings, delete, modify security” (not just “Edit settings”) on the GPO.
    • A hidden Deny ACE: In GPMC (Delegation > Advanced) or ADSI Edit on the GPO object, remove any Deny.
    • Central Store vs GPO folder: Editors need Modify on each Policies\{GUID} folder on the PDC. Central Store doesn’t require write.
    • Ownership/old GPOs: “Group Policy Creator Owners” only helps for GPOs they create. For existing ones, grant the permission above or take ownership first.
    • Default GPOs: Prefer a new GPO for domain/DC settings. If you must edit defaults, ensure the permission level above and no Deny.
    • Run as Domain Admin on the PDC
    $grp='DOMAIN\GPO-Editors'
Get-GPO -All | % { Set-GPPermissions -Guid $_.Id -TargetName $grp -TargetType Group -PermissionLevel GpoEditDeleteModifySecurity }

    But if it still fails

    • Try a new test GPO with the same user.
    • Check logs: Event Viewer > Microsoft > Windows > GroupPolicy > Operational on the client; DFSR/File Server logs on the PDC.
    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.