JSI Tip 4829. Domain Administrator can't create a GPO and link it to an OU?

When a domain administrator creates a new GPO and links it to an OU, they receive:

   Failed to create new Group Policy Object. You may not have appropriate rights.

   Details: The security ID may not be assigned as the owner of this object.
If the administrator does NOT have the right to Restore file and directories, this error will occur.

To resolve the problem:

1. Log on to any Windows 2000 domain controller.

2. Start the Active Directory Users and Computers snap-in.

3. Right-click Domain Controllers and press Properties.

4. Select the Group Policy tab.

5. Select Default Domain Controllers Policy and press Edit.

6. Navigate to Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

7. Double-click Restore files and directories. If Administrators is NOT listed, add the Administrators group. If it is listed, make sure that the user account of the administrator that received the error is a member.

8. Force a refresh by running secedit.exe /refreshpolicy machine_policy /enforce

9. The administrator you received the error must log off and log on.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.