Jane Lewis's Weblog

Platforms, Active Directory,Administration, Management,Women in Technology, Random Thoughts

Enterprise Domain Controllers Group and Group Policies

Enterprise Domain Controllers Group and Group Policies

  • Comments 222
  • Likes

Myself and a colleague Mark Empson have been developing a New Service entitled a GPO Health Check that looks at every aspect of the health of your Group Policies. Well one of the tests involved was checking for any Group Policies that had only the Read Group Policy Object permission and not the Apply Group Policy Permission.

Once this test had run through we found we had virtually every group policy in our test environment registering as having this Read only permission set against a group called the

Enterprise Domain Controllers “ Group. On further investigation this proved to be absolutely correct and is the default setting for a Windows 2003 and Windows 2008 and Windows 2008 R2 environment.

This Read only access is required for Group Policy Modeling  which is a feature of the Group Policy Management Console (GPMC) that simulates the resultant set of policy for a particular configuration. The simulation is performed by a service that runs on domain controllers. To perform the simulation across domains, the service must have read access to all Group Policy objects (GPOs) in the forest

However an important proviso is associated with this which I was blissfully unaware of .

If you are upgrading from a 2000 Forest to 2008 or 2008r2 only  NEW group policies will have this “Enterprise Domain Controllers” permission of Read applied to them. All group policys created previously will not have this permission applied to them.

This will be exhibited by the Group Policy GPMC snap –in informing you that the “Enterprise Domain Controllers “ does not have Read access to the Group Policy.

To remove this error message all you need to do is use a script to update the Group Policy permissions across your Enterprise.

The details of this script , plus also details to run this from the command line are available here.


Well I did not realise the above until just the other day, so another tidbit to store away :).

  • Also - If you open up the GPMC and you have the correct permissions - when you click on an affected GPO it will prompt you to set the correct permissions - automagically.

  • Cheers Mark,

    Thanks for the information.


  • Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. http://21stcenturymediarelations.com

  • Keep sharing such ideas in the future as well. This was actually what I was looking for, and I am glad to came here! Thanks for sharing such a information with us.http://www.costapharmacy.com/buy-soma.htm" rel="follow">Soma

  • The world is changing fast. people are also being changed.day by day we are becoming more dependant on degital system.yoU make me think of this really.You have a nice way of sharing your thoughts. the venus factor book

  • Another example of creativeness, I am glad to find it.There are so many developers working on this part but this is one of the best innovative post ever. Thanks for such post. http://www.newtonellis.com/canon/index.html" rel="follow">Canon Camera Repair

  • Another example of creativeness, I am glad to find it.There are so many developers working on this part but this is one of the best innovative post ever. Thanks for such post.


  • I undoubtedly enjoying every little bit of it and I have you bookmarked to check out new stuff you post. Anyway, in my language, there aren't a lot good supply like this.


  • I will be utilizing your web site facts. Your site giving quite a few essay or dissertation publishing products and services as well as article writing products and http://www.aussieassignments.org/">essay writing service australia services. All our college students really all of us entire publishing guidelines giving your website. Many thanks a good deal this kind of prospect.

  • I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share. http://buyfakelikes.com

  • Thanks for sharing this interesting blog with us.My pleasure to being here on your blog..I wanna come beck here for new post from your site. http://www.wood-finishes-direct.com/blog/everything-you-should-know-about-sustainable-wood/

  • I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon. http://poreminimizerultimate.com/

  • I am happy to find this post very useful for me, as it contains lot of information. I always prefer to read the quality content and this thing I found in you post. Thanks for sharing. http://www.paleopassionfoods.com/paleo-passion-pops-23.html

  • I believe there are many more pleasurable opportunities ahead for individuals that looked at your site. http://ledconceptslighting.genuineauditing.org

  • I want to know some other information about this site. So please give me this news quickly. I always will be aware of you. http://johnparkerzone.com/gynexin/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment