Modifying the Central Store 2K8 GPO - You need permissions to perform this action
hennrizzler
Member Posts: 23 ■□□□□□□□□□
Hi Guys,
Just going through the MS Press training kit for the 2K8 (2nd rev) and labbing GPO's and the Central Store and came across this issue. The step in the book specifically is this:
5. In Windows Explorer, open the following folder: \\contoso.com\SYSVOL\contoso.com\
Policies.
6. Create a folder named PolicyDefinitions.
Now when I try to do this, I get a permissions error with no UAC prompt allowing me to retry the action with an administrative token. I'm logged on as a Domain Admin and try adding myself to the Group Policies Creator Owners group just to make sure I have write perms to this location. I tried relaunching windows explorer as admin (shift ctrl click windows explorer icon) and doing the actions again but still the same error. I tried instead of creating the folder PolicyDefinitions to just copy it from my %Systemroot% but I get the same error.
Now my question is how do I do this so I have my policies in a Central Store if I cannot modify that UNC path? The only way I've figured is to edit on the DC %Systemroot%\SYSVOL\domain\Policies
Is this the only way? If you have more than one DC, is there a specific DC you should create the Central Store on (such as the PDC) or does replication take care of all of this?
Thanks in advanced guys.
H
Just going through the MS Press training kit for the 2K8 (2nd rev) and labbing GPO's and the Central Store and came across this issue. The step in the book specifically is this:
5. In Windows Explorer, open the following folder: \\contoso.com\SYSVOL\contoso.com\
Policies.
6. Create a folder named PolicyDefinitions.
Now when I try to do this, I get a permissions error with no UAC prompt allowing me to retry the action with an administrative token. I'm logged on as a Domain Admin and try adding myself to the Group Policies Creator Owners group just to make sure I have write perms to this location. I tried relaunching windows explorer as admin (shift ctrl click windows explorer icon) and doing the actions again but still the same error. I tried instead of creating the folder PolicyDefinitions to just copy it from my %Systemroot% but I get the same error.
Now my question is how do I do this so I have my policies in a Central Store if I cannot modify that UNC path? The only way I've figured is to edit on the DC %Systemroot%\SYSVOL\domain\Policies
Is this the only way? If you have more than one DC, is there a specific DC you should create the Central Store on (such as the PDC) or does replication take care of all of this?
Thanks in advanced guys.
H
Comments
-
AlexNguyen Member Posts: 358 ■■■■□□□□□□That is just a "warning" message. If you click "Continue", you should be able to create the folder.
The same behavior happens on Windows 7 when you try to add/modify files on "Program Files" or
"Windows", when the UAC is turned on, If you turned off UAC, you won't have that message anymore.Knowledge has no value if it is not shared.
Knowledge can cure ignorance, but intelligence cannot cure stupidity. -
hennrizzler Member Posts: 23 ■□□□□□□□□□Hi Alex,
Thanks for the reply. There is no "Continue" button. Only a "Try Again" which fails or a "Cancel". Turning off UAC isn't really what I want to do. I want to know the "correct" method of adding to the Central Store. As I mentioned, I can get around this by adding to the %systemroot%\SYSVOL\domain\Policies directory on a DC but as microsoft love to do, they put little silly questions like this in their exams so rather than a work around for the problem, I'd like to know what the MS method would be.
As again stated, the press book says to copy to the UNC path, but I've found this is not possible (by default). Is there a reason? How do others add to the central store?
Also, I've looked on TechNet and in regards to where to copy the PoliciesDefinition folder to, any DC is fine but PDC is recommended. -
AlexNguyen Member Posts: 358 ■■■■□□□□□□What MS Press book are you referring to ? What lab/chapter number in that book ?Knowledge has no value if it is not shared.
Knowledge can cure ignorance, but intelligence cannot cure stupidity. -
hennrizzler Member Posts: 23 ■□□□□□□□□□70-640: Configuring Windows 2008 Active Directory, Configuring (2nd Edition) Self Paced Training Kit by Dan Holme (et al).
Chapter 6 - Implementing Group Policy
Exercise 5, Page 275. -
AlexNguyen Member Posts: 358 ■■■■□□□□□□I've installed SERVER01 with Windows 2008 R2 from scratch, and created a new forest and domain CONTOSO.COM.
I've logged on the server with CONTOSO\Administrator and created the "PolicyDefinitions" folder on
[URL="file://\\contoso.com\SYSVOL\contoso.com\Policies"]\\contoso.com\SYSVOL\contoso.com\Policies[/URL] without any pop-up.Knowledge has no value if it is not shared.
Knowledge can cure ignorance, but intelligence cannot cure stupidity. -
hennrizzler Member Posts: 23 ■□□□□□□□□□Hi Alex,
I appreciate the time you've taken to help me and to also lab this. You are correct, when I log on as domain\administrator it works fine. I was logging on previously as a domain user who was a member of the domain admin group and this seems like it wasn't enough. Even adding that user to enterprise admin group does not seem to be enough to allow you to create/modify this UNC path.
You've answered my question. Thank you
Do you have idea why it has to be domain\administrator or do you know what permission I need to grant my domain user to allow it to modify that directory? -
AlexNguyen Member Posts: 358 ■■■■□□□□□□I've checked the "Policies" folder permission and the CONTOSO\Administrators group have the rights to create.
So I've created a new user who is a member of the CONTOSO\Administrators group. But that new user cannot
create folder in "Policies" by traversing [URL="file://\\contoso.com\SYSVOL\contoso.com\Policies"]\\contoso.com\SYSVOL\contoso.com\Policies[/URL]. That new user can create
folder in "Policies" by traversing C:\Windows\SYSVOL\domain\Policies.
I've installed a new SERVER02 which is a member of the CONTOSO domain. I've logged on to SERVER02 with
an user who is a member of CONTOSO\Administrators group. Then, that user can create folder in "Policies" by
traversing \\contoso.com\SYSVOL\contoso.com\Policies.
So, locally, it seems only CONTOSO\Administrator can create folder. But if you access it via network from another
server, members of CONTOSO\Administrators group can too.Knowledge has no value if it is not shared.
Knowledge can cure ignorance, but intelligence cannot cure stupidity. -
hennrizzler Member Posts: 23 ■□□□□□□□□□I've confirmed this as well by logging on as a domain admin on another client (Win 7 client) and am able to make the relevant changes by traversing the UNC path. Thanks, guess I can trust the MS press book (they've been known for their incorrect information at times, especially the 70-680!).
I wonder why you cannot create it locally on a DC traversing that UNC path as a domain member with administrative priviledges? That's quite interesting.