JSI Tip 8872. When running GPMC on a Windows Server 2003 that you upgraded from Windows 2000, you receive 'The Enterprise Domain Controllers group does not have read access to this GPO'?

The GPMC (Group Policy Management Console) issues the following warming:

The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPOs in the domain in order for Group Policy Modeling to function properly. To learn more about this issue and how you can correct it, click Help.

When you upgrade a Windows 2000 server to Windows Server 2003, the Enterprise Domain Controllers group is NOT granted Read permission on the existing Group Policies.

NOTE: New Group Policies are properly ACLed.

To resolve this issue:

1. Open a CMD.EXE window.

2. Type cd /d "%programfiles%\gpmc\scripts" and press Enter.

3. Type Cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers" /Permission:Read /Domain:JSIINC.COM and press Enter, replacing JSIINC.COM with your domain.

4. You receive:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Warning! By executing this script, all GPOs in the target domain will be
updated with the desired security setting.

Both the Active Directory and Sysvol portions of the GPO will be updated.
This will result in the Sysvol contents of every GPO being copied to all
replica domain controllers, and may cause excessive replication traffic
in your domain.

If you have slow network links or restricted bandwidth between your domain
controllers, you should check the amount of data on the Sysvol that would
be replicated before performing this task.

Do you want to proceed? \[Y/N\]
5. When you type Y, you receive information like:
Updated GPO 'Default Domain Policy' to 'Read' for Enterprise Domain Controllers
Updated GPO 'Default Domain Controllers Policy' to 'Read' for Enterprise Domain Controllers

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.