Group Policies and Access Denied

One Technologies in Active Directory I am extremely passionate about is Group Policy and I would love to write some more articles on Group Policy, but I want to make sure I publish topics that are of interest to you.  So if you would like see more on group policy please comment to this blog entry and let me know what you want to see.  This entry is based on email's I have gotten with the problem of the administrators have been denied access to the Group Policies.  Enjoy!

All right so you just watched my 14 part web cast series on group policy.  You are all excited and starting to test the policies and with you being the administrator you are thinking of all the wonderful things you can limit on your user’s desktop.  You are also very aware that as administrator you are above the policy settings, it is good to be the king.    So you decide to make sure the polices do not apply to you, so you use the wonderful deny permissions and deny all from the administrator, so you do not get them applied to you. 

Then you click ok and go about your daily rounds and then decide to implement even more settings then you go back to Group Policy Management Console and you get this message:  ACCESS DENIED!  Then you realize that the deny all permission are very good at what they do.  I will also tell you I have seen this same problem surface when you try to run ADPREP and DOMAINPREP on a 2000 system you are going to upgrade, the log entry for that is fairly specific as well:  “Adprep was unable to complete because the call back function (null) failed. [Status/Consequence]Error message: Windows cannot set new permissions for Group Policy Object Directory”

So then the question becomes what now and how do I fix it. 

The fix actually quite straight forward, all you need to is give your self permissions to the AD properties for the Group Policy and the actual directory where the policies are stored.  I borrowed the steps from KB884884.

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers window, on the View menu, click Advanced Features.
3. In the left pane, expand System, and then click Policies.
4. In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
5. Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission. Note You may click Add to add a group or a user if the user or group is not in the Group or user names list.
6. In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
7. On the File menu, click Exit to close the Active Directory Users and Computers window.
8. Click Start, click Run, type explorer.exe, and then click OK.
9. In Windows Explorer, locate and then click the following folder: %SystemRoot%\SYSVOL\sysvol\DomainName\Policies Note In this folder name, DomainName is the name of the domain.
10. In the right pane, right-click the GPO folder that you want to modify, and then click Properties.
11. Click the Security tab, and then click the group in the Group or user names list for which you want to set the access permission. Note You may click Add to add a group or a user if the user or group is not in the Group or user names list.
12. In the Permissions for Authenticated Users list, under the Deny column, click to select the check box that is next to the Write permission, and then click OK.
13. Close Windows Explorer.

This should fix the problem.  The article also mentions a hot fix, that I have not tried yet, the workaround has always solved my problem.