Announcement

Collapse
No announcement yet.

serious problem with GPO

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • serious problem with GPO

    Hi, I have problem with creating new policy objects, and I cannot make changes in just crated policy objects.

    When I press New - Policy object in Windows 2000 AD this error appears - look in attachments
    Then I tryed to make some changes in old objects (windows update policy) - anywhere in user or computer configuration ! When I tryed to set up logon, startup script this error appered - look for script image

    Where should be the problem ????

    Here are my events too.
    Attached Files

  • #2
    Re: serious problem with GPO

    Which account are you trying to create the GPO with??

    Comment


    • #3
      Re: serious problem with GPO

      I am logged in as domain administrator

      Comment


      • #4
        Re: serious problem with GPO

        has the user you are logged on with been delegated the authority to create or change gpo's?

        Comment


        • #5
          Re: serious problem with GPO

          Have you set the correct path to the script??

          This should typically be in the SYSVOL share on the server.

          EDIT

          Sorry its the NETLOGON share and not the SYSVOL share.

          The path should be \\server_name\NETLOGON
          Last edited by wullieb1; 8th March 2006, 16:53.

          Comment


          • #6
            Re: serious problem with GPO

            Originally posted by flashy
            has the user you are logged on with been delegated the authority to create or change gpo's?
            I don't understand! Has [email protected][/email] full rights to all actions ?
            He is member of Administrators, domain admins, enterprise admins, . . .
            Is there any higher permission as an administrator ???
            Last edited by Eica; 8th March 2006, 21:41.

            Comment


            • #7
              Re: serious problem with GPO

              Originally posted by wullieb1
              Have you set the correct path to the script??

              This should typically be in the SYSVOL share on the server.

              EDIT

              Sorry its the NETLOGON share and not the SYSVOL share.

              The path should be \\server_name\NETLOGON

              I wrote, that I cannot make any changes to already created GPOs. I already have one GPO created, and it works (with startup script - in computer settings) - it is placed into sysvol\root.domain.com\scripts\go.vbs

              I don't know, what should I do ?

              Comment


              • #8
                Re: serious problem with GPO

                Originally posted by Eica
                I don't understand! Has [email protected][/email] full rights to all actions ?
                He is member of Administrators, domain admins, enterprise admins, . . .
                Is there any higher permission as an administrator ???
                i ran into a similar problem when i created a test OU to work in. I do not know if this will apply to your specific situation.

                go to the group the admin is assigned to. make sure Group scope is global. make sure they have delegation rights. do this in properties.
                also, do you have a security group for "Group Policy Creator owner"?
                make sure that your admin is a memebr of this group.

                Comment


                • #9
                  Re: serious problem with GPO

                  Originally posted by flashy
                  i ran into a similar problem when i created a test OU to work in. I do not know if this will apply to your specific situation.

                  go to the group the admin is assigned to. make sure Group scope is global. make sure they have delegation rights. do this in properties.
                  also, do you have a security group for "Group Policy Creator owner"?
                  make sure that your admin is a memebr of this group.
                  Look at my config - see attachments
                  Attached Files

                  Comment


                  • #10
                    Re: serious problem with GPO

                    The Domain Admins group should be able to create and edit GPOs, but who knows what went wrong in your setup...

                    Try to create a new user, put it in the same groups as yourself, and try to make the change.

                    If that works let us know.

                    If it doesn't, see what types of permissions does the Domain Admins group have for the GPO object (FC?)
                    Cheers,

                    Daniel Petri
                    Microsoft Most Valuable Professional - Active Directory Directory Services
                    MCSA/E, MCTS, MCITP, MCT

                    Comment


                    • #11
                      Re: serious problem with GPO

                      Originally posted by danielp
                      The Domain Admins group should be able to create and edit GPOs, but who knows what went wrong in your setup...

                      Try to create a new user, put it in the same groups as yourself, and try to make the change.

                      If that works let us know.

                      If it doesn't, see what types of permissions does the Domain Admins group have for the GPO object (FC?)
                      My personal account has the same permissions as administrator. I have loged in, but the result was the same !

                      How can I find out which permissions has or should have Domain Admins group ?
                      Attached Files
                      Last edited by Eica; 9th March 2006, 11:32.

                      Comment


                      • #12
                        Re: serious problem with GPO

                        What are the permiossions on the actual GPO??

                        Who owns it??

                        What are the delegations on them??

                        On the GPO's in my domain they are set as follows

                        Owner -

                        Domain Admins (Domian\Domain Admins)

                        Delegation -

                        Authenticated Users - Read (From Security Filtering)
                        Domain Admins - Edit Settings, Delete, Modify Security.
                        Enterprise Admins - Edit Settings, Delete, Modify Security.
                        SYSTEM - Edit Settings, Delete, Modify Security.

                        Comment


                        • #13
                          Re: serious problem with GPO

                          Originally posted by wullieb1
                          What are the permiossions on the actual GPO??

                          Who owns it??

                          What are the delegations on them??

                          On the GPO's in my domain they are set as follows

                          Owner -

                          Domain Admins (Domian\Domain Admins)

                          Delegation -

                          Authenticated Users - Read (From Security Filtering)
                          Domain Admins - Edit Settings, Delete, Modify Security.
                          Enterprise Admins - Edit Settings, Delete, Modify Security.
                          SYSTEM - Edit Settings, Delete, Modify Security.
                          System has the same permissions as owner
                          Attached Files
                          Last edited by Eica; 9th March 2006, 12:37.

                          Comment

                          Working...
                          X