Hmm....you might be on to something, as I don't think I tested anything immediately after he edited the GPO, just my reboot so perhaps he did something that unlocked it - I know he made an edit (not security settings, he added a drive mapping) and saved. However it doesn't explain why the fresh DA account couldn't edit it. Still...this sounds as plausible as anything.
Dave > Doesn't make sense to me that your laptop is the culprit if you were on > the servers directly via RDP and using tools there. Your account wasn't > locked out either, or you couldn't have logged on via RDP. Seems most > likely to me like your Fellow DA modified the GPO when he looked at it by > opening with Edit, or changed the security filtering at the time because > something wasn't right? > > -B > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of [email protected] > Sent: Friday, May 30, 2014 11:32 AM > To: [email protected] > Subject: Re: [NTSysADM] OK here's a weird one (GPO access denied) > > That comes under the IT catch-all of "general weirdness". > > I've gotten used to it now ;-) > > > Despatched via Blackberry. Mock if you will, but it gets my email without > a fuss. > > -----Original Message----- > From: "Dave Lum" <[email protected]> > Sender: [email protected] > Date: Fri, 30 May 2014 11:15:24 > To: <[email protected]> > Reply-to: [email protected] > Subject: [NTSysADM] OK here's a weird one (GPO access denied) > > A few days ago I created a GPO, applied some security filtering and rolled > it out and it worked. FYI I open an MMC on my desktop and run it as my > elevated user/domain admin account, not my standard acct. > > Today I try to change the security filtering and I get "access denied" (I > can open the GPO but not save changes). > > Troubleshooting: > * I RDP to a domain controller with the DA acct, open GPO editor and try > to edit the GPO and get the same error > * Try creating new GPO via RDP to DC - access denied > * Create *fresh* DA acct (different name), add to domain admins, RDP to > DC. Same result! > * Fellow DA can edit this same GPO > ....then for fun.... > * Reboot my laptop, launch MMC from my laptop with DA credentials, it all > works. From my machine, my initial DA account, RDP to the DC, everything > that had failed before now works! > > Somehow my laptop had my DA credentials locked up for just GPO's? I was > able to RDP to the DC, so the only thing that makes sense here was my > laptop hosing edits to Group Policy, even from other machines. Huh? > > Dave > > > > > >
