Announcement

Collapse
No announcement yet.

Group Policy/SYSVOL Permission - 2003 vs 2008

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group Policy/SYSVOL Permission - 2003 vs 2008

    Created my first 2008 R2 DC several weeks ago to replace my first and oldest 2003 DC. To date I've created the 2008 DC, added DNS to it and transfered the FSMO roles over to the new machine - which a virtual machine running on VMware ESXi, if that matters. Last week I configured DHCP to point DNS to the server.

    All has been going well - until yesterday.

    I needed to modify a GPO to install a shortcut on all my user's desktops. No problem - a simple copy command in a logon script and I was home free. Until I opened the GPMC on the 2008 server. I was told that I didn't have permissions to the SYSVOL folder. ??? WHAT??? ???

    Since I was working on about 2 hours of sleep, I decided to call it a day. Today, refreshed, I began working to the problem again. I logged on to the 2008 server, fired up GPMC and this time was able to drill down to the Logon Script GPO that I wanted to modify with no problem. I was even able to open the GPO to the point of getting to the logon scripts delcaration. But, when I hit the "Show Files" button, I'm presented with this lovely message:




    So, I then fire up Windows Explorer. Drill down through the SYSVOL folder to the Policy folder without issue. If I try to access the subfolder that the policy definition and the scripts that I want to edit (meaning the {9534B671...} folder), I'm denied access with a very similiar message to the one above.

    Here's the kicker - if I do the same task on the 2003 server, I have no problems. Also, if I log on as "Administrator" (I've renamed that account, but you get the idea), on the 2008 server, I have no problems. It appears as though it's only my Admin Account on the 2008 server that is the problem.

    At this point I'm stuck - I'm concerened about modifing the permissions of the subfolder, afraid I'll break something. But at the same time, I need to do something so that I can eventually remove the 2003 DCs from my domain.

    BTW, the 2008 DC is a 2008 R2 Standard server. This means that it's also a 64-bit system. It's fully patched - made sure of that yesterday when I rebooted the machine by accident (see why I quit now?) When I log in, I've been doing so via RDP. My Admin Account is a member of both the domain admins and enterprise admins groups.

    Can someone give me a clue as to what might be going?
    --

    ScatterBrain

    "I reject your reality and substitute my own!"
    -- The Mythbusters

  • #2
    Re: Group Policy/SYSVOL Permission - 2003 vs 2008

    What if you create a new GPO?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Group Policy/SYSVOL Permission - 2003 vs 2008

      Originally posted by Dumber View Post
      What if you create a new GPO?

      It appears as though creation of new GPOs is not a problem.
      --

      ScatterBrain

      "I reject your reality and substitute my own!"
      -- The Mythbusters

      Comment


      • #4
        Re: Group Policy/SYSVOL Permission - 2003 vs 2008

        In that case I would check the permissions and maybe comparing them with a newly created GPO. Maybe something is missing..
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Group Policy/SYSVOL Permission - 2003 vs 2008

          Using the 'calcs' command, it appears to me that the permission on both the main policy folder and the files/directories underneath are the same for all policies on at least two DCs (the 2003 and the 2008 R2 machines).

          As I expected, the permissions are applied at the policy folder and then inherited through the subfolders beneath. In no case are the "domain admins" or "enterprise admins" denied or reduced to anything but "full control".

          I am curious about one thing though: Could this be a UAC issue? I did notice the little "UAC Shield" on the GPMC and a few other icons in the administrative tools program group when logged with my admin account, but not with the "administrator" account.

          Even more lost than before....
          --

          ScatterBrain

          "I reject your reality and substitute my own!"
          -- The Mythbusters

          Comment


          • #6
            Re: Group Policy/SYSVOL Permission - 2003 vs 2008

            UPDATE: The problem does appear to be associated to the UAC. If I turn the UAC off on the 2008 R2 DC, I can access the policy subfolders and edit the logon script I needed to in the first place. Even with the GPMC, I can now hit the "show folders" button and successfuly access the logon/logoff script folders.

            My question is WHY? Why would a Domain and Enterprise Admin be denied access to recources that he/she has every right to access?

            The ACLs on the folder in question grant my admin account full control, because my admin account is in both the Enterprise and Domain Admin groups. It's not a file permission problem. It' not a share permission problem. It's the UAC stopping me.

            Another bit of info, and maybe this is by design, but when I enter the control panel/user accounts on the 2008 R2 DC, there is an option to "Change account type". When I try to make my admin account an "administrator", the machine gets sent to performance hell. LSASS.EXE consumes between 60% and 75% of the CPU and NETPLWIZ.EXE consumes 20% to 35% - consuming the entire CPU. It does this for 20+ minutes and then the process simply failes and I'm forced to "End Process" on the User Account applet to return the server to normal use.

            So knowing what we know now, can we:

            a). Re-enable UAC and still allow my domain admin accounts the proper level of control/access? (meaning make them function like 2003 did.)

            - OR -

            b). Point me to a place where I can learn why the UAC is doing what it's doing and why it's a good thing?

            At this point all I can see is this:

            --

            ScatterBrain

            "I reject your reality and substitute my own!"
            -- The Mythbusters

            Comment


            • #7
              Re: Group Policy/SYSVOL Permission - 2003 vs 2008

              Ok, I think this might help you to give an answer
              http://social.technet.microsoft.com/...b-39f1efbe3ab8
              Let me know how you think about it!
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment

              Working...
              X