Locate the policy that has been restricted, and then note the distinguished name of this object, for example:Ĭn=,cn=policies,cn=system,dc=jlc,dc=com /R "JLC\Domain Admins" The right pane lists the global universal identification numbers (GUIDs) for all the GPOs in the domain. Under ADSIEdit, click Domain NC, and then locate the following container:ĭomain_Name container\CN=System\CN=Policies container
NOTE: To determine the PDC emulator operations masters role owner, right-click the domain name in the Active Directory Users and Computers snap-in, click Operations Masters, and then click the PDC tab. Use the ADSIEdit.msc tool that is included in the Support Tools for Windows 2000 and Windows Server 2003, to determine the distinguished name of the GPO in Active Directory. You must know the distinguished name (also known as DN) of the GPO to use this tool. You can use the DSACLS tool that is included in the Support Tools for Windows 2000 and Windows Server 2003, to remove the Deny Access permissions from the Domain Administrators group. If no other accounts have permissions to restore the permissions to the GPO, reset the permissions for the account or group that has been denied access to the GPO. Use an account that has the appropriate permissions to restore the permissions to the GPO. When the client selected the Edit of Default Domain Policy on a Windows SBS 2003, he received these message: “Failed to open the Group Policy Object.Ĭase 3: The Domain Administrators Group Has Been Denied Access to the GPO Ĭase 2: This could be multihpomed computer issue.
0 kommentar(er)
