Announcement

Collapse
No announcement yet.

Permissions in GPO for SYSVOL folder inconsistent with those in AD

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions in GPO for SYSVOL folder inconsistent with those in AD

    One account that I'm administering has Windows 2000 Mixed mode. They have three sites, 5 DC. We have 2000 server SP4, three are Windows 2003 SP2 servers and one is R2 SP2.
    All is working properly.

    I'm having strange error when I use GPMC and access Domain Controller GPO:



    I look for support on following link:
    http://support.microsoft.com/default...b;en-us;828760

    Everything is working correctly no errors in eventlog on DC's, clients are working properly, all is in place.

    Anybody experienced this problem?
    It's not causing me any trouble, any ideas how to approach to this problem?
    Where I can fall here in dead end?
    What is worst case scenario?

  • #2
    Re: Permissions in GPO for SYSVOL folder inconsistent with those in AD

    And the share/security permissions on said folder are the same as other servers? Does this happen on one DC or all?
    Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

    Comment


    • #3
      Re: Permissions in GPO for SYSVOL folder inconsistent with those in AD

      I got same message on all DC, permissions on SYSVOL looks teh same on all DC's.
      Only thing I noticed in one of the subdirectories in SYSVOL that in one of the subdirectories where are directory named by SID of GPO and DCGP has a bit different permissions from all other GP.

      DCGP permissions in SYSVOL:
      Administrators - Full Control
      Authenticated Users - Read and Execute
      Creator Owner - Special
      Enterprise Domain Controllers - Read and Execute
      Group Policy Creator Owner - Read and Execute
      Server Operators - Read and Execute
      System - Full Control

      Permissions on other GP in SYSVOL subdirectories are:
      Authenticated Users - Read and Execute
      Creator Owner - Special
      Domain Admins - Full Control
      Enterprise Admins - Full Control
      Enterprise Domain Controllers - Read and Execute
      System - Full Control

      Comment


      • #4
        Re: Permissions in GPO for SYSVOL folder inconsistent with those in AD

        Typically once you Click OK it needs to fix the error.
        does it happen on the same GPO object more then once?

        the error means that the GPO in the AD does not match with the version number on the GPO folder in the SYSVOL or the permissions on the Object do not match to the permissions on the Folder in the SYSVOL for this GPO (it happens many times when you restore a gpo folder to the SYSVOL), by clicking "ok" it usually fixes that problem.
        if this doesn't help , then try to open that GPO in the GPMC and just update/make a change on the GPO, that would usually would fix it.
        once you update the GPO it would also update the Folder in the SYSVOL and that would also update the Version on the SYSVOL to meat/match the AD version of the object.

        Comment


        • #5
          Re: Permissions in GPO for SYSVOL folder inconsistent with those in AD

          Originally posted by Akila View Post
          Typically once you Click OK it needs to fix the error.
          does it happen on the same GPO object more then once?
          I didn't quite understand what you mean?
          If you mean does it happen on many GPO? Then the answer is only on DC Group Policy. Default Domain Policy does not show that problems.

          the error means that the GPO in the AD does not match with the version number on the GPO folder in the SYSVOL or the permissions on the Object do not match to the permissions on the Folder in the SYSVOL for this GPO (it happens many times when you restore a gpo folder to the SYSVOL), by clicking "ok" it usually fixes that problem.
          if this doesn't help , then try to open that GPO in the GPMC and just update/make a change on the GPO, that would usually would fix it.
          once you update the GPO it would also update the Folder in the SYSVOL and that would also update the Version on the SYSVOL to meat/match the AD version of the object.
          So basicly there is very little or no system down possibility? No fear of system down? This is very production inviroment so I'm trying to escape all possible downtime situations. I hope you understand

          Comment


          • #6
            Re: Permissions in GPO for SYSVOL folder inconsistent with those in AD

            Originally posted by alien_ri View Post
            I didn't quite understand what you mean?
            If you mean does it happen on many GPO? Then the answer is only on DC Group Policy. Default Domain Policy does not show that problems.
            no , I meant after you click on "OK" on that pop up window do you get that pop up window come up again on the same GPO Object?

            Comment


            • #7
              Re: Permissions in GPO for SYSVOL folder inconsistent with those in AD

              OK I confirmed what was asked.

              First I did systemstate backup

              System made changes in SYSVOL directory and all NTFS permissions are now the same as all other GPO:
              Authenticated Users - Read and Execute
              Creator Owner - Special
              Domain Admins - Full Control
              Enterprise Admins - Full Control
              Enterprise Domain Controllers - Read and Execute
              System - Full Control

              I forced replication to nearest DC, made GPUPDATE, tried to logon to replicated DC, all went OK.
              I run dcdiag to see if I have some problems, it all looks fine.

              Thanks m8 for helping me on this isssue, I really appreciate it

              Comment

              Working...
              X