Error when editing Group Policy Objects (with correct permissions)

When you attempt to edit a group policy object and you have the correct permissions you can sometimes run into an error like this, not those words but the error at the top will be "Access Denied"


This error can be quite confusing because you clearly have the access to complete that operation, so first let’s look little bit deeper.

Locate the souce of what you are trying to udpate

First, let’s see where we’re getting the error, so in this particular instance, someone was trying to update the password policy object, it would let them edit the group policy, which instantly tells me it’s not a permissions problem, sometimes the error you get with editing group policy are not always particularly helpful.

However, when they navigated to the area as they wished to edit and then tried to update the settings in that area - this is when they would get the error:


Note : It is worth noting different parts of the group policy will update different files under the SYSVOL directory, this means the file that gives you the error all the type of error you get will massively change, depending on what part of the group policy you’re trying to edit.

We have an "inf" file sharing violation

GptTmpl.inf in this example is where we are trying to write changes to, so if we browse to the directory it’s specifying, you should notice that the policy GUID of the error directly matches the policy you’re trying to edit.

Do we double check permissions on the ACL for that file

I wanted to check the permissions on that file to make sure some corruption hadn’t occurred, So the first thing I needed to do was write check on that file and check the security tab for ACL permissions - in this instance, the ACL was correct, but I noticed something peculiar in that folder as shown below:

Right, now we’re getting somewhere the only reason Windows creates a temporary file is because that file is in use by another device, which means you’re not able to write to that file because another process is currently using it - this is the Same process as you get if you’re editing a word document, it will create a temporary file also known as the lock file.

Windows does always report the correct error

This could explain what’s going on as for example, in another instance where this problem also occurs with a completely different error Message is for example you’re trying to update the folder redirect paths, and the file is in the same predicament as our original file you get this error:


This error is a little bit more informative than either “access denied” or an “extended error has occurred” but as I said earlier error messages when using group policy are not always helpful and some sometimes can confuse you massively.

The file has a "read" lock on it

We now have the cause of the problem so now we need to fix it, there are two ways to fix this problem. The first is the GUI method because it’s easier to illustrate on a blog, however I would rather use Powershell to fix these problems because you could do it for all domain controllers at the same time that will come later.

Fixing the issue (so you can make the update)

Note : This will not work locally on a Domain controller if you have server core installed you will need to run these commands remotely from an administration server

First we need to start the computer management which can be accomplished with the following command:

compmgmt.msc

Note : This article will assume you are running this remotely, however, if you are locally using remote desktop onto the relevant server, then you can skip the next step.

Once the window appears on the screen right click on the “ Computer management” text and choose connect to another compter as below:


You will then be presented with A dollar box where you can choose another computer, here enter the name of the domain controller (I would recommend the PDC emulator)


When you click OK, It will then remotely connect to the specified domain controller You should see the name of the computer you’ve connected to next to the “ Computer management” text where we right clicked earlier.

Next, we need to expand the shared folders option and then click on open files (Sessions will not help here because we need to know what file and folders are open with read or read/write locks)


When you do select the open files option, you will notice that to the right you will see a window with headers that look something like this, the column we are interested in here is “Open file” this is an example:


This shows us all the computers, which is in the "Accessed By" column that are holding a read lock on this GPo object which is not all bad as this normal, however that being said if you see something that links back to a policy file that you need to update as below, this is when you get the error we have encountered:


You need to close these files if you want to edit your GPO, so find the GUID of the GPO you are looking to update then you need to folow these steps:

  1. Find the first vaid policy GUID in the list
  2. Select this option, it should be blue
  3. Find the last valid policy GUID 
  4. Hold Shift
  5. Click the last policy
  6. Right click the blue area
  7. Choose Close Open Files

This will then clear the blocks but on by the devices, however remember this will require the lock on their next GPO update cycle, but this should give you a timeframe to update the settings required.

I will soon be converting this into a interactive Powershell script look out for that post soon, this will do lots of  the hevy lifting for you.
Previous Post Next Post

نموذج الاتصال