cannot ammend Default domain policy (password maximum age) - get an error - access denied

Question

cannot ammend Default domain policy (password maximum age) - get an error - access denied

dej 6

Hi all,

I am trying to amend our default domain policy. I have been able to do this previously on our 2012 DC, but since then we have created a new 2016 DC.
Every time I try to amend the default domain policy I get an

Access denied message
Failed to Save
*****GptTmpl.inf make sure you have the right permissions to the object.

I have switched off AV on the server but still getting the same issue.

Any guidance appreciated.

Anonymous

2020-08-28T02:41:17.837+00:00

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.

Best Regards,
Anonymous

2020-08-31T06:38:52.907+00:00

Hi，
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

1 answer

Your answer

Anonymous

2020-08-28T02:41:17.837+00:00

Hi,
Welcome to share your current situation if there are any updates.
Please feel free to let us know if you need further assistance.

Best Regards,
Anonymous

2020-08-31T06:38:52.907+00:00

Hi，
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

Answer 1

Hi，
The error happened only for the default domain policy or all the policies?
When you added the new DC, did you confirm the health status , you can run the following commands :
Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps *
Repadmin /syncall /APeD

If the new DC is good and it was only for the default domain policy , i would suggest you check the permission ,by the following way：

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
In the Active Directory Users and Computers window, on the View menu, click Advanced Features.
In the left pane, expand System, and then click Policies.
In the right pane, right-click the GPO folder that you want to modify, and then clickProperties.
Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
In the Permissions for Authenticated Users list，check if the authenticated users have the read,write, and apply permission.
Then check ,In Windows Explorer, locate and then click the following folder:
%SystemRoot%\SYSVOL\sysvol\<var>DomainName</var>\Policies
Note In this folder name, <var>DomainName</var> is the name of the domain.
In the right pane, right-click the GPO folder that you want to modify, and then clickProperties.
Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission.
Compare the permissions on the file and on the folder with your working GPOs.

Best Regards,

dej 6 Reputation points

2020-08-25T11:04:34.997+00:00

thank you for your time/answer
I have now set authenticated users to have write permissions, and Enterprise Admins to have full control but i am now seeing the following error
Anonymous

2020-08-26T00:02:26.883+00:00

Hi,
Did you compare the permissions on the file and on the folder with your working GPOs?The permissions are different on the Default domain policy and other GPOs,right?If possible ,please share a screenshot of that .(Please hide the private information)
Is the new dc working well ?(result of the command dcdiag /v )
Did you try to change modify the permission with the domain admins or other users?

Best Regards,

Share via

cannot ammend Default domain policy (password maximum age) - get an error - access denied

1 answer

Your answer