One Technologies in Active Directory I am extremely passionate about is Group Policy and I would love to write some more articles on Group Policy, but I want to make sure I publish topics that are of interest to you. So if you would like see more on group policy please comment to this blog entry and let me know what you want to see. This entry is based on email's I have gotten with the problem of the administrators have been denied access to the Group Policies. Enjoy!
All right so you just watched my 14 part web cast series on group policy. You are all excited and starting to test the policies and with you being the administrator you are thinking of all the wonderful things you can limit on your user’s desktop. You are also very aware that as administrator you are above the policy settings, it is good to be the king. So you decide to make sure the polices do not apply to you, so you use the wonderful deny permissions and deny all from the administrator, so you do not get them applied to you.
Then you click ok and go about your daily rounds and then decide to implement even more settings then you go back to Group Policy Management Console and you get this message: ACCESS DENIED! Then you realize that the deny all permission are very good at what they do. I will also tell you I have seen this same problem surface when you try to run ADPREP and DOMAINPREP on a 2000 system you are going to upgrade, the log entry for that is fairly specific as well: “Adprep was unable to complete because the call back function (null) failed. [Status/Consequence]Error message: Windows cannot set new permissions for Group Policy Object Directory”
So then the question becomes what now and how do I fix it.
The fix actually quite straight forward, all you need to is give your self permissions to the AD properties for the Group Policy and the actual directory where the policies are stored. I borrowed the steps from KB884884.
This should fix the problem. The article also mentions a hot fix, that I have not tried yet, the workaround has always solved my problem.