Thursday, June 17, 2010

Group Policy Object Permissions

It was reported to me that our desktop management group had experienced a sudden loss of permissions to a number of Group Policy objects. An access-denied message would be shown when attempting to edit the policy. As a domain admin I could also reproduce the error. The delegation tab to the policy looked correct. I used the Group Policy Management Tool to note down the GUID to one of the offending policies and went out to the domain controller. When looking at the NTFS permissions to the GUID folder (under SYSVOL/DOMAIN/POLICIES) they also seemed correct. With help from Microsoft it was determined that something had happened to the file structure under the GUID. There should be (amongst other things) a MACHINE folder and a USER folder. Now if the offending GPO was a workstation GPO then the USER folder should be there EVEN IF ITS EMPTY. Likewise the policy is a user GPO then the MACHINE folder should be there EVEN IF ITS EMPTY. If both folders are not there then you will edit the objects. Perhaps somebody decided that the empty folders could be cleaned up, or maybe this was corruption. Creating the empty folders where they were missing fixed the issue. Now, of course, if it’s a workstation policy and the MACHINE folder is missing then the data is gone. Of course this is also true for a missing USER folder in a user policy. Do backups!


No comments:

Post a Comment