Myself and a colleague Mark Empson have been developing a New Service entitled a GPO Health Check that looks at every aspect of the health of your Group Policies. Well one of the tests involved was checking for any Group Policies that had only the Read Group Policy Object permission and not the Apply Group Policy Permission.
Once this test had run through we found we had virtually every group policy in our test environment registering as having this Read only permission set against a group called the
“Enterprise Domain Controllers “ Group. On further investigation this proved to be absolutely correct and is the default setting for a Windows 2003 and Windows 2008 and Windows 2008 R2 environment.
This Read only access is required for Group Policy Modeling which is a feature of the Group Policy Management Console (GPMC) that simulates the resultant set of policy for a particular configuration. The simulation is performed by a service that runs on domain controllers. To perform the simulation across domains, the service must have read access to all Group Policy objects (GPOs) in the forest
However an important proviso is associated with this which I was blissfully unaware of .
If you are upgrading from a 2000 Forest to 2008 or 2008r2 only NEW group policies will have this “Enterprise Domain Controllers” permission of Read applied to them. All group policys created previously will not have this permission applied to them.
This will be exhibited by the Group Policy GPMC snap –in informing you that the “Enterprise Domain Controllers “ does not have Read access to the Group Policy.
To remove this error message all you need to do is use a script to update the Group Policy permissions across your Enterprise.
The details of this script , plus also details to run this from the command line are available here.
Well I did not realise the above until just the other day, so another tidbit to store away :).
Also - If you open up the GPMC and you have the correct permissions - when you click on an affected GPO it will prompt you to set the correct permissions - automagically.
Thanks for the information.