Score:0

WinServer2016 - Access Denied when adding or changing a GPO

pt flag

I have inherited a network whose GPOs are damaged, the SYSVOL folder shows signs of tampering with the NTFS permissions and folder structure manually, and I am unable to add/edit any GPOs, I receive an "Access Denied" error and the only entry in eventvwr I can find looks like an app crash for the mmc plugin. From timestamps it is clear this hasn't worked for 4+years.

  • I have performed a D2 and D4 restore separately, this did not resolve the issue. auth restore img
  • I have confirmed delegation permissions on the domain were modified, I reset them to default. Domain permission delegation img
  • Group Policy Object permissions are still modified from original, couldn't figure out how to reset these to default: Group Policy Object Permissions img
  • There are no existing GPOs I have to worry about.
  • There are 3 Server 2016 DCs.
  • I attempted to add NTFS permissions to C:\Windows\Sysvol and sub folders individually to give my domain admin account full control. Still no change.
  • gpupdate seems to work fine, I just can't add or edit policies from any DC

At this time I cannot create or edit GPOs, but client machines gpupdate successfully. What else can I do to be able to edit GPOs again?

Score:0
pt flag

If anyone else runs into this in the future. Some numbskull renamed the sysvol folder on the PDC... fixing that fixed everything else.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.