Group Policy object - Inaccessible?

[Christine Cruz]

Hello,

I did something really stupid. I accidentally changed the Read permissions
to Deny for (I think) all authenticated users for the default Group Policy.
I meant to change the permissions for just one user. Now, I cannot access
the group policy - it just says "Inaccessible". Does anyone know of a way I
can gain access to this again?

Thanks!
Christine

[Mark Heitbrink [MVP]]

Hi,

Christine Cruz schrieb:

You can use dsacls.exe
http://support.microsoft.com/kb/294257/en-us

The GUID of the DDP is:
{31B2F340-016D-11D2-945F-00C04FB984F9}
and DDCP:
{6AC1786C-016F-11D2-945F-00C04fB984F9}

You can use adsiedit.msc aswell or dsa.msc -> View -> extended (advanced?)
and then you will find the Policies in \system\policies
There you will find the familiar tab "security" on the properties of the
GPO. But I think dsacls will do this job more easily, because the KB
article will guide you ;-)

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english

[Christine Cruz]

Thanks for the reply Mark. I was able to run the commands described in the
kb artible - thanks. However, when go into A/D and drill down to the Policy,
The policy type is unkown for {31b2f340-016d-11d2-945f-00c04fb984f9}. I can
get into the security tab and change the permissions, but in the General and
Object tabs, the following message is displayed:

"The Active Directory object could not be displayed.
Unable to view attribute or value. You may not have permissions to view
this object."

I set the permissions so that, as an administrator (Domain Admins), I have
full controll of the object.

Any ideas?

Thanks so much!

[Christine Cruz]

If it helps - I posted a screen shot of my A/D here:
http://www.webstaurantstore.com/adpolicyimg.jpg

[Mark Heitbrink [MVP]]

Hi,

Christine Cruz schrieb:

> Thanks for the reply Mark. I was able to run the commands described in the
> kb artible - thanks. However, when go into A/D and drill down to the Policy,
> The policy type is unkown for {31b2f340-016d-11d2-945f-00c04fb984f9}.

Is your Domain Controller allowed to read it?

Default Security Settings:
Auth.USers : Read + Apply
Domain-Admins : "All" but Full + Apply
Domain Controller : Read
Org Admins: Same as Domain-Admins
System : Domain-Admins

[Christine Cruz]

I reset so that they do and copied the permissions to all child objects - but
it still is of type unknown.

[Mark Heitbrink [MVP]]

Christine Cruz schrieb:

> I reset so that they do and copied the permissions to all child objects - but
> it still is of type unknown.

Can you Backup the GPO by using GPMC?
Or did you try to reset all settings?
-> dcgpofix.exe on a 2003 system
-> recreatedefpol.exe on a 2000

[Christine Cruz]

I just tried to run dcgpofix /target:domain. I get the following error:

"Could not open the active directory object
LDAP://CN={31b2f340-016d-11d2-945f-00c04fb984f9},CN=Policies,CN=System,DC=mydomain,DC=com
The restore failed. See previous message for more details"

[Mark Heitbrink [MVP]]

Hi,

Christine Cruz schrieb:

> I just tried to run dcgpofix /target:domain. I get the following error:

2003 R2? -> dcgpofix /target:domain /ignoreschema

[Christine Cruz]

I get the same error...

[Mark Heitbrink [MVP]]

Christine Cruz schrieb:

> I get the same error...

Strange. Can you delete it and create it new?
But prior to delete it: do you get any errors inside eventlog?
Is there a replication problem between 2 or more DCs?