DOMAIN SECURITY GROUP POLICY

[Jurbop]

I am preparing for the MCSE 2000 Security exam (70-214),
and one of the exercises I am to do is to Modify User
Rights. I run a single domain, and when I open up Active
Directory Users and Computers, right click the domain
name, click on properties, and click on the Group Policy
tab to access the "Domain Security Group Policy", I am not
able to EDIT this policy (EDIT is grayed out). I click on
the policy properties, then the Security tab, and
authorized entries are: Authenticated Users, Creator
Owner, Domain Admins, Enterprise Admins, and System. None
of these entries has FULL CONTROL access. I am logged on
as Administrator, and I'm a member of the Domain Admin
group. Both Domain Admin and System have Red, Write, and
Create and Delete All Child Objects permissions, but no
Full Control. I've tried various things to try and gain
access which would allow me to EDIT this policy, but have
not been able to. What can I do to obtain FULL CONTROL for
this policy so I can EDIT it. Thank you.

 

[Steven L Umbach]

Try using Domain Security Policy in the administrator tools to see if you can open
it. Make sure you are logged on as an administrator as that is often the problem. It
is possible for the domain admins group to be removed from the administrators group
and possibly the built in administrator account was renamed. Running "net user
username" will show group membership and "net localgroup administrators" will show
members of the administrators group when run on the domain controller. A user needs
only read and write permissions to edit a GPO. --- Steve

 

[jurbop]

I opened up Domain Security Policy in Administrator Tools,
but there was no policy I could activate/deactivate to
change the situation. I ran "net localgroup
administrators" and the comment stated that the
administrator has unrestricted control over the domain. I
am logged on as administrator, and I am a Domain Admin
member. The Domain Admins do have read and write
permissions, but when I access the Domain Properties, then
click the Group Policy tab, the Domain Security Group
Policy, EDIT option is still grayed out. When I open the
properties for this policy and click on the Security tab
to check the ACL, I get a message stating "You only have
permission to view the current security information on
Domain Security Group Policy". Again all tabs to allow me
to Add, Remove, or Apply (to make any changes) are grayed
out. There must be some way for me as an Admin to access
this policy and EDIT it. Thanks for your response.

-----Original Message-----
Try using Domain Security Policy in the administrator tools to see if you can open
it. Make sure you are logged on as an administrator as that is often the problem. It
is possible for the domain admins group to be removed from the administrators group
and possibly the built in administrator account was renamed. Running "net user
username" will show group membership and "net localgroup administrators" will show
members of the administrators group when run on the

domain controller. A user needs

 

[Steven L Umbach]

Can you edit any Group Policies such as the GPO for the domain controller container?
I am a bit confused because if you can open up Domain Security Policy you should be
able to configure user rights under security settings/local policies/user rights.
Anyhow make sure that the administrator account is in the Group Policy Creators
Owners Group, log on as "the" administrator and try again. If you still can not, go
to properties/security of the GPO and select advanced/owner and take ownership which
should then allow you to change permissions in the same way you take ownership of a
folder. I would also look in Event Viewer to see if any errors show to indicate a
related problem. --- Steve