Earlier today, I came across a interesting hangover from last week’s domain upgrade from Windows 2000 Server to Windows Server 2003.
After installing the group policy management console (GPMC), I was viewing a pre-existing group policy object (GPO) and GPMC notified me that Enterprise Domain Controllers did not have read access to all GPOs in the domain. This was initially worrying, but for once the help link had some useful information at the other end.
It turns out that Windows Server 2003 group policy modelling (simulating the resultant set of policy for a given configuration) is performed by a service that runs on domain controllers and in order to perform the simulation in cross-domain scenarios, the service must have read access to all GPOs in the forest.
In a Windows Server 2003 domain (whether it is upgraded from Windows 2000 or installed as new), the Enterprise Domain Controllers group is automatically given read access to all newly created GPOs. This ensures that the service can read all GPOs in the forest.
However, if the domain was upgraded from Windows 2000, any existing GPOs that were created before the upgrade do not have read access for the Enterprise Domain Controllers group.
GPMC had detected this situation and notified me that Enterprise Domain Controllers do not have read access to all GPOs in this domain and after reading the help text was was directed to use one of the sample scripts provided with GPMC,
GrantPermissionOnAllGPOs.wsf to update the permissions for all GPOs in the domain.
Whilst logged on with Domain Admins permissions I simply opened a command prompt, navigated to %programfiles%\gpmc\scripts and issued the command
cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers" /Permission:Read /Domain:dnsdomainname.
The output was as follows:
C:\Program Files\GPMC\Scripts>Cscript GrantPermissionOnAllGPOs.wsf “Enterprise Domain Controllers” /Permission:Read /Domain:home.local
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Warning! By executing this script, all GPOs in the target domain will be updated with the desired security setting.
Both the Active Directory and Sysvol portions of the GPO will be updated. This will result in the Sysvol contents of every GPO being copied to all replica domain controllers, and may cause excessive replication traffic in your domain.
If you have slow network links or restricted bandwidth between your domain controllers, you should check the amount of data on the Sysvol that would be replicated before performing this task.
Do you want to proceed? [Y/N]
Updated GPO ‘Default Domain Policy’ to ‘Read’ for Enterprise Domain Controllers
Updated GPO ‘Windows Software Update Services’ to ‘Read’ for Enterprise Domain Controllers
Updated GPO ‘Default Domain Controllers Policy’ to ‘Read’ for Enterprise Domain Controllers
Once this was completed, GPMC was able to function as normal with the existing GPOs.