Okay, because you don’t have PolicyDefinitions in AD already, don’t add them.
Just leave the DCs alone and hop on any workstation or server that’s at least Windows 7 and use that. You are correct that by default on the c:\windows\PolicyDefinitions folder even Admins only have read access. You’ll have to find a way around that. The important thing is to understand that you don’t need to install these on your DCs for what you’re trying to do. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Heaton, Joseph@Wildlife *Sent:* Monday, September 14, 2015 4:21 PM *To:* '[email protected]' <[email protected]> *Subject:* RE: [NTSysADM] RE: IE Enterprise mode I was trying to copy the files into c:\windows\PolicyDefinitions. That’s where permissions don’t seem correct at all. Under c:\windows\sysvol, I have domain, staging, staging areas and sysvol. Under the second sysvol, I have my domain fqdn, then under that, I have Policies, scripts, StarterGPOs. I do NOT have a PolicyDefinitions folder anywhere in the sysvol file structure. The initial NTFS permissions on c:\windows\PolicyDefinitions were: Owner: TrustedInstaller TrustedInstaller – FC, This folder and subfolders SYSTEM – Modify, This folder only SYSTEM – FC, Subfolders and files only Administrators – Modify, This folder only Administrators – FC, Subfolders and files only Users – R&E, This folder, subfolders and files CREATOR OWNER – FC, Subfolders and files only ALL APPLICATION PACKAGES – R&E, This folder, subfolders and files These are the permissions on all the DCs for this folder. On one of the DCs, I changed ownership to Enterprise Admins, and changed: Administrators – FC, This folder, subfolders and files Even with that change, I had to modify the permissions on each of the files themselves to set the above permission, before I was able to copy in the new file, and replace the existing. This DC is where I have my GPMC on my own workstation pointing for AGPM. *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Charles F Sullivan *Sent:* Monday, September 14, 2015 12:41 PM *To:* [email protected] *Subject:* RE: [NTSysADM] RE: IE Enterprise mode Wait. Are you looking at Windows\PolicyDefinitions on the DC? If so, that’s not what you want if you are trying to enforce the available ADMX files domain-wide. If you do not have a PolicyDefinitions folder under Sysvol\Policies, then take a step back. If you simply need to be able to edit Enterprise Mode in GPOs, just copy the admx and adml files to Windows\PolicyDefinitions on a member server that has GPMC installed. That’s all you need to do in order to edit the settings for any domain GPO. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Heaton, Joseph@Wildlife *Sent:* Monday, September 14, 2015 2:46 PM *To:* '[email protected]' <[email protected]> *Subject:* RE: [NTSysADM] RE: IE Enterprise mode Wow. Could you list the permissions on your PolicyDefinitions folder, please? Mine look really messed up. *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Charles F Sullivan *Sent:* Monday, September 14, 2015 11:40 AM *To:* [email protected] *Subject:* RE: [NTSysADM] RE: IE Enterprise mode I figured I would mention UAC that since I see admins often burned by it when using Explorer. The default permissions should have allowed you to do this. Subfolders and files of the Policies folder grant Administrators full control, so I would think that when Policy Definitions was initially created, that would have been set unless someone changed it. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Heaton, Joseph@Wildlife *Sent:* Monday, September 14, 2015 11:59 AM *To:* '[email protected]' <[email protected]> *Subject:* RE: [NTSysADM] RE: IE Enterprise mode Tried copying it from another DC, with the same results. Looked at UAC, and someone has set the UAC to Never Notify, which is odd in and of itself, but “should” mean that UAC isn’t stepping in. *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Charles F Sullivan *Sent:* Friday, September 11, 2015 6:04 AM *To:* [email protected] *Subject:* RE: [NTSysADM] RE: IE Enterprise mode If you are trying it locally, it’s most likely because of UAC. Copy it over the network instead. You may already know this but don’t forget to copy the .adml file(s) as well. *From:* [email protected] [mailto: [email protected]] *On Behalf Of *Heaton, Joseph@Wildlife *Sent:* Thursday, September 10, 2015 6:44 PM *To:* '[email protected]' <[email protected]> *Subject:* [NTSysADM] RE: IE Enterprise mode So, I’m having trouble importing the admx file. I’m logged onto the server with a domain admin account, and when I try to copy the file into the PolicyDefinitions folder, I get a popup saying I need permissions to do this. Anyone know how to fix this? *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Damien Solodow *Sent:* Wednesday, September 09, 2015 9:18 AM *To:* [email protected] *Subject:* [NTSysADM] RE: IE Enterprise mode Yes, mostly pros, yep, nope. DAMIEN SOLODOW Senior Systems Engineer 317.447.6033 (office) 317.447.6014 (fax) HARRISON COLLEGE *From:* [email protected] [ mailto:[email protected] <[email protected]>] *On Behalf Of *Heaton, Joseph@Wildlife *Sent:* Wednesday, September 9, 2015 12:16 PM *To:* NT System Admin Issues Discussion list <[email protected]> *Subject:* [NTSysADM] IE Enterprise mode Anyone using it? Pros/cons, good thing, does it work as advertised? Is it a pain to get set up and working? Thanks, Joe Heaton Information Technology Operations Branch Data and Technology Division CA Department of Fish and Wildlife 1700 9th Street, 3rd Floor Sacramento, CA 95811 Desk: (916) 323-1284 Every Californian should conserve water. Find out how at: [image: SaveOurWater_Logo] <http://saveourwater.com/> SaveOurWater.com <http://saveourwater.com/> · Drought.CA.gov <http://drought.ca.gov/>
