Update Group Policy Permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy Modeling is a new feature of the GPMC that simulates the resultant set of policy for a particular configuration. The simulation is performed by a service that runs on Windows Server 2003–based domain controllers. To perform the simulation across domains, the service must have read access to all Group Policy objects (GPOs) in the forest.

In a Windows Server 2003 domain that has been upgraded from Windows 2000 or newly installed, the Enterprise Domain Controllers group is automatically given read access to all newly created GPOs. This ensures that the service can read all GPOs in the forest.

However, if the domain was upgraded from Windows 2000, the Enterprise Domain Controllers group will not have read access to any existing GPOs that were created prior to the upgrade. The Group Policy Management Console detects this when you click a GPO and notifies the user that Enterprise Domain Controllers do not have read access to all GPOs in this domain. To solve this problem, use the sample script that is provided with the Group Policy Management Console, GrantPermissionOnAllGPOs.wsf. This script will update the permissions on all GPOs in the domain. You must be a member of the Domain Admins group or have permissions to modify security on all GPOs in the domain to run this script.

Note

• To download the GPMC, see the Group Policy Management Console link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

To update permissions on all GPOs in a domain

1. At the command line, change to the %programfiles%\Gpmc\Scripts folder.

2. Type the following:

   GrantPermissionOnAllGPOs.wsf “Enterprise Domain Controllers” /permission:read /domain:DNSDomainName /Replace
   

   Using the Replace switch removes existing permissions for the group or user before making the change. If a group or user is already granted a permission type higher than the new permission type, and you do not specify Replace, no change is made.

For more information about using GPMC for deploying Group Policy, see "Designing a Group Policy Infrastructure" in Designing a Managed Environment in this kit.

For more information about Group Policy Management Console (GPMC) scripting, see the Platform SDK: Group Policy Management Console (https://go.microsoft.com/fwlink?linkid=17912).