DOMAIN SECURITY GROUP POLICY - Microsoft Usenet

View Full Version : DOMAIN SECURITY GROUP POLICY

Jurbop

I am preparing for the MCSE 2000 Security exam (70-214),
and one of the exercises I am to do is to Modify User
Rights. I run a single domain, and when I open up Active
Directory Users and Computers, right click the domain
name, click on properties, and click on the Group Policy
tab to access the "Domain Security Group Policy", I am not
able to EDIT this policy (EDIT is grayed out). I click on
the policy properties, then the Security tab, and
authorized entries are: Authenticated Users, Creator
Owner, Domain Admins, Enterprise Admins, and System. None
of these entries has FULL CONTROL access. I am logged on
as Administrator, and I'm a member of the Domain Admin
group. Both Domain Admin and System have Red, Write, and
Create and Delete All Child Objects permissions, but no
Full Control. I've tried various things to try and gain
access which would allow me to EDIT this policy, but have
not been able to. What can I do to obtain FULL CONTROL for
this policy so I can EDIT it. Thank you.

Steven L Umbach

Try using Domain Security Policy in the administrator tools to see if you can open
it. Make sure you are logged on as an administrator as that is often the problem. It
is possible for the domain admins group to be removed from the administrators group
and possibly the built in administrator account was renamed. Running "net user
username" will show group membership and "net localgroup administrators" will show
members of the administrators group when run on the domain controller. A user needs
only read and write permissions to edit a GPO. --- Steve

"Jurbop" wrote in message
news:237301c49aa4$b5cab010$a501280a@phx.gbl...
>I am preparing for the MCSE 2000 Security exam (70-214),
> and one of the exercises I am to do is to Modify User
> Rights. I run a single domain, and when I open up Active
> Directory Users and Computers, right click the domain
> name, click on properties, and click on the Group Policy
> tab to access the "Domain Security Group Policy", I am not
> able to EDIT this policy (EDIT is grayed out). I click on
> the policy properties, then the Security tab, and
> authorized entries are: Authenticated Users, Creator
> Owner, Domain Admins, Enterprise Admins, and System. None
> of these entries has FULL CONTROL access. I am logged on
> as Administrator, and I'm a member of the Domain Admin
> group. Both Domain Admin and System have Red, Write, and
> Create and Delete All Child Objects permissions, but no
> Full Control. I've tried various things to try and gain
> access which would allow me to EDIT this policy, but have
> not been able to. What can I do to obtain FULL CONTROL for
> this policy so I can EDIT it. Thank you.

jurbop

I opened up Domain Security Policy in Administrator Tools,
but there was no policy I could activate/deactivate to
change the situation. I ran "net localgroup
administrators" and the comment stated that the
administrator has unrestricted control over the domain. I
am logged on as administrator, and I am a Domain Admin
member. The Domain Admins do have read and write
permissions, but when I access the Domain Properties, then
click the Group Policy tab, the Domain Security Group
Policy, EDIT option is still grayed out. When I open the
properties for this policy and click on the Security tab
to check the ACL, I get a message stating "You only have
permission to view the current security information on
Domain Security Group Policy". Again all tabs to allow me
to Add, Remove, or Apply (to make any changes) are grayed
out. There must be some way for me as an Admin to access
this policy and EDIT it. Thanks for your response.
>-----Original Message-----
>Try using Domain Security Policy in the administrator
tools to see if you can open
>it. Make sure you are logged on as an administrator as
that is often the problem. It
>is possible for the domain admins group to be removed
from the administrators group
>and possibly the built in administrator account was
renamed. Running "net user
>username" will show group membership and "net localgroup
administrators" will show
>members of the administrators group when run on the
domain controller. A user needs
>only read and write permissions to edit a GPO. --- Steve
>
>
>"Jurbop" wrote in
message
>news:237301c49aa4$b5cab010$a501280a@phx.gbl...
>>I am preparing for the MCSE 2000 Security exam (70-214),
>> and one of the exercises I am to do is to Modify User
>> Rights. I run a single domain, and when I open up Active
>> Directory Users and Computers, right click the domain
>> name, click on properties, and click on the Group Policy
>> tab to access the "Domain Security Group Policy", I am
not
>> able to EDIT this policy (EDIT is grayed out). I click
on
>> the policy properties, then the Security tab, and
>> authorized entries are: Authenticated Users, Creator
>> Owner, Domain Admins, Enterprise Admins, and System.
None
>> of these entries has FULL CONTROL access. I am logged on
>> as Administrator, and I'm a member of the Domain Admin
>> group. Both Domain Admin and System have Red, Write, and
>> Create and Delete All Child Objects permissions, but no
>> Full Control. I've tried various things to try and gain
>> access which would allow me to EDIT this policy, but
have
>> not been able to. What can I do to obtain FULL CONTROL
for
>> this policy so I can EDIT it. Thank you.
>
>
>.
>

Steven L Umbach

Can you edit any Group Policies such as the GPO for the domain controller container?
I am a bit confused because if you can open up Domain Security Policy you should be
able to configure user rights under security settings/local policies/user rights.
Anyhow make sure that the administrator account is in the Group Policy Creators
Owners Group, log on as "the" administrator and try again. If you still can not, go
to properties/security of the GPO and select advanced/owner and take ownership which
should then allow you to change permissions in the same way you take ownership of a
folder. I would also look in Event Viewer to see if any errors show to indicate a
related problem. --- Steve

"jurbop" wrote in message
news:10db01c49ad7$c027daa0$a601280a@phx.gbl...
>I opened up Domain Security Policy in Administrator Tools,
> but there was no policy I could activate/deactivate to
> change the situation. I ran "net localgroup
> administrators" and the comment stated that the
> administrator has unrestricted control over the domain. I
> am logged on as administrator, and I am a Domain Admin
> member. The Domain Admins do have read and write
> permissions, but when I access the Domain Properties, then
> click the Group Policy tab, the Domain Security Group
> Policy, EDIT option is still grayed out. When I open the
> properties for this policy and click on the Security tab
> to check the ACL, I get a message stating "You only have
> permission to view the current security information on
> Domain Security Group Policy". Again all tabs to allow me
> to Add, Remove, or Apply (to make any changes) are grayed
> out. There must be some way for me as an Admin to access
> this policy and EDIT it. Thanks for your response.
>>-----Original Message-----
>>Try using Domain Security Policy in the administrator
> tools to see if you can open
>>it. Make sure you are logged on as an administrator as
> that is often the problem. It
>>is possible for the domain admins group to be removed
> from the administrators group
>>and possibly the built in administrator account was
> renamed. Running "net user
>>username" will show group membership and "net localgroup
> administrators" will show
>>members of the administrators group when run on the
> domain controller. A user needs
>>only read and write permissions to edit a GPO. --- Steve
>>
>>
>>"Jurbop" wrote in
> message
>>news:237301c49aa4$b5cab010$a501280a@phx.gbl...
>>>I am preparing for the MCSE 2000 Security exam (70-214),
>>> and one of the exercises I am to do is to Modify User
>>> Rights. I run a single domain, and when I open up Active
>>> Directory Users and Computers, right click the domain
>>> name, click on properties, and click on the Group Policy
>>> tab to access the "Domain Security Group Policy", I am
> not
>>> able to EDIT this policy (EDIT is grayed out). I click
> on
>>> the policy properties, then the Security tab, and
>>> authorized entries are: Authenticated Users, Creator
>>> Owner, Domain Admins, Enterprise Admins, and System.
> None
>>> of these entries has FULL CONTROL access. I am logged on
>>> as Administrator, and I'm a member of the Domain Admin
>>> group. Both Domain Admin and System have Red, Write, and
>>> Create and Delete All Child Objects permissions, but no
>>> Full Control. I've tried various things to try and gain
>>> access which would allow me to EDIT this policy, but
> have
>>> not been able to. What can I do to obtain FULL CONTROL
> for
>>> this policy so I can EDIT it. Thank you.
>>
>>
>>.
>>