Sounds more like the ticket expired for the elevated process but it's hard to reconstruct the sequence from the info given.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Dave Lum Sent: Friday, May 30, 2014 12:14 PM To: [email protected] Subject: RE: [NTSysADM] OK here's a weird one (GPO access denied) Hmm....you might be on to something, as I don't think I tested anything immediately after he edited the GPO, just my reboot so perhaps he did something that unlocked it - I know he made an edit (not security settings, he added a drive mapping) and saved. However it doesn't explain why the fresh DA account couldn't edit it. Still...this sounds as plausible as anything. Dave > Doesn't make sense to me that your laptop is the culprit if you were > on the servers directly via RDP and using tools there. Your account > wasn't locked out either, or you couldn't have logged on via RDP. > Seems most likely to me like your Fellow DA modified the GPO when he > looked at it by opening with Edit, or changed the security filtering > at the time because something wasn't right? > > -B > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Friday, May 30, 2014 11:32 AM > To: [email protected] > Subject: Re: [NTSysADM] OK here's a weird one (GPO access denied) > > That comes under the IT catch-all of "general weirdness". > > I've gotten used to it now ;-) > > > Despatched via Blackberry. Mock if you will, but it gets my email > without a fuss. > > -----Original Message----- > From: "Dave Lum" <[email protected]> > Sender: [email protected] > Date: Fri, 30 May 2014 11:15:24 > To: <[email protected]> > Reply-to: [email protected] > Subject: [NTSysADM] OK here's a weird one (GPO access denied) > > A few days ago I created a GPO, applied some security filtering and > rolled it out and it worked. FYI I open an MMC on my desktop and run > it as my elevated user/domain admin account, not my standard acct. > > Today I try to change the security filtering and I get "access denied" > (I can open the GPO but not save changes). > > Troubleshooting: > * I RDP to a domain controller with the DA acct, open GPO editor and > try to edit the GPO and get the same error > * Try creating new GPO via RDP to DC - access denied > * Create *fresh* DA acct (different name), add to domain admins, RDP > to DC. Same result! > * Fellow DA can edit this same GPO > ....then for fun.... > * Reboot my laptop, launch MMC from my laptop with DA credentials, it > all works. From my machine, my initial DA account, RDP to the DC, > everything that had failed before now works! > > Somehow my laptop had my DA credentials locked up for just GPO's? I > was able to RDP to the DC, so the only thing that makes sense here was > my laptop hosing edits to Group Policy, even from other machines. Huh? > > Dave > > > > > > PG&E is committed to protecting our customers' privacy. To learn more, please visit http://www.pge.com/about/company/privacy/customer/
