I have inherited a network whose GPOs are damaged, the SYSVOL folder shows signs of tampering with the NTFS permissions and folder structure manually, and I am unable to add/edit any GPOs, I receive an "Access Denied" error and the only entry in eventvwr I can find looks like an app crash for the mmc plugin. From timestamps it is clear this hasn't worked for 4+years.
- I have performed a D2 and D4 restore separately, this did not resolve the issue. auth restore img
- I have confirmed delegation permissions on the domain were modified, I reset them to default. Domain permission delegation img
- Group Policy Object permissions are still modified from original, couldn't figure out how to reset these to default: Group Policy Object Permissions img
- There are no existing GPOs I have to worry about.
- There are 3 Server 2016 DCs.
- I attempted to add NTFS permissions to C:\Windows\Sysvol and sub folders individually to give my domain admin account full control. Still no change.
- gpupdate seems to work fine, I just can't add or edit policies from any DC
At this time I cannot create or edit GPOs, but client machines gpupdate successfully. What else can I do to be able to edit GPOs again?
Best Answer
If anyone else runs into this in the future. Some numbskull renamed the sysvol folder on the PDC... fixing that fixed everything else.