GPMC modelling after upgrading Active Directory

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Earlier today, I came across a interesting hangover from last week’s domain upgrade from Windows 2000 Server to Windows Server 2003.

After installing the group policy management console (GPMC), I was viewing a pre-existing group policy object (GPO) and GPMC notified me that Enterprise Domain Controllers did not have read access to all GPOs in the domain. This was initially worrying, but for once the help link had some useful information at the other end.

It turns out that Windows Server 2003 group policy modelling (simulating the resultant set of policy for a given configuration) is performed by a service that runs on domain controllers and in order to perform the simulation in cross-domain scenarios, the service must have read access to all GPOs in the forest.

In a Windows Server 2003 domain (whether it is upgraded from Windows 2000 or installed as new), the Enterprise Domain Controllers group is automatically given read access to all newly created GPOs. This ensures that the service can read all GPOs in the forest.

However, if the domain was upgraded from Windows 2000, any existing GPOs that were created before the upgrade do not have read access for the Enterprise Domain Controllers group.

GPMC had detected this situation and notified me that Enterprise Domain Controllers do not have read access to all GPOs in this domain and after reading the help text was was directed to use one of the sample scripts provided with GPMC, GrantPermissionOnAllGPOs.wsf to update the permissions for all GPOs in the domain.

Whilst logged on with Domain Admins permissions I simply opened a command prompt, navigated to %programfiles%\gpmc\scripts and issued the command cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers" /Permission:Read /Domain:dnsdomainname.

The output was as follows:

C:\Program Files\GPMC\Scripts>Cscript GrantPermissionOnAllGPOs.wsf “Enterprise Domain Controllers” /Permission:Read /Domain:home.local
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Warning! By executing this script, all GPOs in the target domain will be updated with the desired security setting.

Both the Active Directory and Sysvol portions of the GPO will be updated. This will result in the Sysvol contents of every GPO being copied to all replica domain controllers, and may cause excessive replication traffic in your domain.

If you have slow network links or restricted bandwidth between your domain controllers, you should check the amount of data on the Sysvol that would be replicated before performing this task.

Do you want to proceed? [Y/N]
Y
Updated GPO ‘Default Domain Policy’ to ‘Read’ for Enterprise Domain Controllers
Updated GPO ‘Windows Software Update Services’ to ‘Read’ for Enterprise Domain Controllers
Updated GPO ‘Default Domain Controllers Policy’ to ‘Read’ for Enterprise Domain Controllers

Once this was completed, GPMC was able to function as normal with the existing GPOs.

4 thoughts on “GPMC modelling after upgrading Active Directory”

Glad to hear it worked well for you.
— Group Policy Management Console development team.

I am having an installation problem with Exchange 2003 on a recently upgraded domain (200 to 2003) and am wondering if a similar scenario may be causing my error. I get “Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.” during the /forestprep portion of E2K3 installation. I have read several articles on this error and reviewed numerous settings that have corrected this situation for others, but to no avail. So my question is, are there any other well known permissions issues that are leftover after the domain migration?

Make sure the account you are using to do the install is in the Enterprise Admin and Schema Admin groups (you may only need Schema Admin). I ran into this during an install, and adding myself to Schema/Enterprise solved this problem (I needed to be in Enterprise for something else, so added to both). Once in those groups, everything went fine.

slow? i have a really slow connection/bandwidth, so i checked the amount of data on the Sysvol. but what to do with them? do i not need them?

Anonymous says:

Tuesday 25 October 2005 at 16:26

Glad to hear it worked well for you.
— Group Policy Management Console development team.
Anonymous says:

Sunday 19 February 2006 at 22:06

I am having an installation problem with Exchange 2003 on a recently upgraded domain (200 to 2003) and am wondering if a similar scenario may be causing my error. I get “Either you do not have permission to update the Active Directory schema or Active Directory service is currently too busy.” during the /forestprep portion of E2K3 installation. I have read several articles on this error and reviewed numerous settings that have corrected this situation for others, but to no avail. So my question is, are there any other well known permissions issues that are leftover after the domain migration?
Anonymous says:

Friday 10 March 2006 at 15:59

Make sure the account you are using to do the install is in the Enterprise Admin and Schema Admin groups (you may only need Schema Admin). I ran into this during an install, and adding myself to Schema/Enterprise solved this problem (I needed to be in Enterprise for something else, so added to both). Once in those groups, everything went fine.
hangar-9-lover says:

Wednesday 8 July 2009 at 22:43

slow? i have a really slow connection/bandwidth, so i checked the amount of data on the Sysvol. but what to do with them? do i not need them?