Doesn't make sense to me that your laptop is the culprit if you were on the servers directly via RDP and using tools there. Your account wasn't locked out either, or you couldn't have logged on via RDP. Seems most likely to me like your Fellow DA modified the GPO when he looked at it by opening with Edit, or changed the security filtering at the time because something wasn't right?
-B -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Friday, May 30, 2014 11:32 AM To: [email protected] Subject: Re: [NTSysADM] OK here's a weird one (GPO access denied) That comes under the IT catch-all of "general weirdness". I've gotten used to it now ;-) Despatched via Blackberry. Mock if you will, but it gets my email without a fuss. -----Original Message----- From: "Dave Lum" <[email protected]> Sender: [email protected] Date: Fri, 30 May 2014 11:15:24 To: <[email protected]> Reply-to: [email protected] Subject: [NTSysADM] OK here's a weird one (GPO access denied) A few days ago I created a GPO, applied some security filtering and rolled it out and it worked. FYI I open an MMC on my desktop and run it as my elevated user/domain admin account, not my standard acct. Today I try to change the security filtering and I get "access denied" (I can open the GPO but not save changes). Troubleshooting: * I RDP to a domain controller with the DA acct, open GPO editor and try to edit the GPO and get the same error * Try creating new GPO via RDP to DC - access denied * Create *fresh* DA acct (different name), add to domain admins, RDP to DC. Same result! * Fellow DA can edit this same GPO ....then for fun.... * Reboot my laptop, launch MMC from my laptop with DA credentials, it all works. From my machine, my initial DA account, RDP to the DC, everything that had failed before now works! Somehow my laptop had my DA credentials locked up for just GPO's? I was able to RDP to the DC, so the only thing that makes sense here was my laptop hosing edits to Group Policy, even from other machines. Huh? Dave
