Home > Active Directory, Group Policy > “Recover” GPO Rights

“Recover” GPO Rights

Have you ever experienced that a junior administrator or someone else by accident set a Deny “Read” permission for ie. “Authenticated Users” on a Group Policy Object when they actually wanted Deny “Apply GPO”? If you’re experiencing this problem or something similar, this post is certainly for you.

I’d like to show you 2 methods to discover the GUID for the Group Policy Object which is needed to “recover” the rights, which I’ll show you in the last part of this post.

Anyway… go grab a cup of coffee and let’s get started! 🙂

Part 1 – Find GUID – Easy Way

If the GPO link isn’t deleted in the Group Policy Management Console, you can easily find the GUID using these simple steps.

1. Go to Start > Run.
In Server 2008 simply use “Search Programs and files” in the Start menu instead.

2. Type GPMC.msc and hit enter.

3. Browse to the location where the object is LINKED to.
You won’t be able to find it in the Group Policy Objects container since you no longer have access to “read” it.

Recover GPO 1

Figure1: Open GPMC and browse to the linked location of the object.

4. Select the GPO object named “Inaccessible”.

Recover GPO 2

Figure 2: Select "Inaccessible".

5. Copy the GUID which appears under the scope tab in the content view of the Group Policy console.

Recover GPO 3

Figure 3: Copy the GUID (Unique ID) from the content view.

That’s it. If you could find the GUID using this way you can now jump to the 3rd part of this guide.

Part 2 – Find GUID – Advanced

If the link is deleted within the GPMC console you’ll have to use another approach to find the GUID.
My best offer is to use adsiedit.msc, which requires the Windows Support Tools to be installed on a Windows 2003 Server however this tool is available by default on a Windows 2008 Server.

In the next few steps I’ll show you how to use adsiedit.msc to discover the GUID of the Group Policy Object.

1. Go to Start > Run.

2. Type adsiedit.msc and hit enter.
In Server 2008 simply use “Search Programs and files” in the Start menu instead.

Recover GPO 4

Figure 4: Go to Run and type adsiedit.msc

3. Expand the DC container.

4. Expand the System container.

5. Expand the Policies container.

Recover GPO 5

Figure 5: Expand the Containers

6. Scroll through the list of group policy objects using the content view part of adsiedit.msc and locate the GUID which is represented by a notepad like document.
Notice that other GUIDs are looking like a folder.

7. Copy this GUID.

Recover GPO 6

Figure 6: Copy the GUID

Okay… now we have the GUID of the object we need to recover the rights too.
If you’re done with your coffee you should grap another one now and come back to part 3 afterwards!

Part 3 – Recover Procedure

1. Go to Start > Run.
In Server 2008 simply use “Search Programs and files” in the Start menu instead.

2. Type cmd and hit enter.

Recover GPO 7

Figure 7: Run CMD

3. Type the following command: dsacls cn=<GUID>,cn=policies,cn=system,dc=<domain>,dc=<domain>
Please notice that you should of course replace <GUID> with the one you copied from either part 1 or part 2 in this guide and that <domain> should be replaced with the name of your domain.
Example: cn={E44507AF-29F1-4057-8EDE-6A97A147AAA5},cn=Policies,cn=system,dc=contoso,dc=com

Recover GPO 8

Figure 8: Run the dsacls commandline tool

 

You’ll now be shown a list with 2 columns. First part lists the users and groups and the second column lists the permissions.
In the example provided here you should simply look for the word “Deny”.

Recover GPO 9

Figure 9: View Rights on the GPO

4. If the object has been denied for the specific group or user you can run the following command: dsacls cn=<GUID>,cn=policies,cn=system,dc=<domain>,dc=<domain> /R USER/GROUP
Please notice that you should of course replace <GUID> with the one you copied from either part 1 or part 2 in this guide and that <domain> should be replaced with the name of your domain.
Example: dsacls cn={E44507AF-29F1-4057-8EDE-6A97A147AAA5},cn=Policies,cn=system,dc=contoso,dc=com
/R “Authenticated Users”

5. It might be a good idea to give the user/group who were denied the object earlier some more rights to the object than just Read. You’ll have to adjust this to whatever you’re trying to recover in your environment.
Please type the following line: dsacls cn=<GUID>,cn=policies,cn=system,dc=<domain>,dc=<domain> /G USER/GROUP:GA
Please notice that you should of course replace <GUID> with the one you copied from either part 1 or part 2 in this guide and that <domain> should be replaced with the name of your domain. USER/GROUP should be replaced with the name of the user or group who were denied earlier.
Example: dsacls cn={E44507AF-29F1-4057-8EDE-6A97A147AAA5},cn=Policies,cn=system,dc=contoso,dc=com
/G “Authenticated Users”:GA

Recover GPO 8

Figure 10: Grant "Generic All" to Authenticated Users

5. Head back to the Group Policy Management Console and find the place where the GPO is linked to, or check the Group Policy Objects container.
It’s now possible to edit the group policy object again since rights has been “restored”.

Recover GPO 11

Figure 11: The GPO rights are now "restored".


I hope you enjoyed this little guide and that it might help you in your future work.

Advertisements
  1. Appreciative
    April 16, 2015 at 9:12 AM

    Thanks, this was a lifesaver.

  1. May 6, 2016 at 4:02 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: