Skip navigation

Q. After I upgraded from Windows 2000 Server to Windows Server 2003, I received an error about the Enterprise Domain Controllers group's access to certain Group Policy Objects (GPOs) in Group Policy Management Console (GPMC). What's causing this error?

A. Windows 2003 introduced the Group Policy Modeling feature, which allows simulations of Resultant Set of Policies (RsoP) scenarios and is performed by a service that runs on Windows 2003 domain controllers (DCs). Because this service is on the DCs, the Enterprise Domain Controllers group needs access to all Group Policy Objects (GPOs). This access is granted automatically to any newly created GPO. However, GPOs that existed before the upgrade aren't updated with the new permissions. When you use GPMC to access such GPOs, you'll receive a warning, which the Figure shows. To solve the problem, perform these steps:

  1. Log on as a domain administrator.
  2. Start a command prompt and navigate to the \%programfiles%\gpmc\scripts folder (e.g., c:\program files\gpmc\scripts) by typing
    cd /d %programfiles%\gpmc\scripts
  3. Execute the GrantPermissionOnAllGPOs.wsf script that's provided with GPMC and specify the domain's DNS name--for example:
    Cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers"
    /Permission:Read /
    (The command wraps to two lines here because of space limitations.) Be sure to replace with your domain name.
TAGS: Windows 7/8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.