Diagnosing why a Group Policy Object is inaccessible

I have a Windows Server 2003 domain. One of the Group Policy Objects appears as a linked item in an OU but all I can see if the Unique ID and that the Link Status is Enabled. There is a red minus icon next to it and its name reads "Inaccessible." The message says "This Group Policy object (GPO) is inaccessible because you do not have the read-level permission on it."

There is a folder in SYSVOL that contains the Unique ID and I can browse into it without any trouble. If I view the complete list of Group Policy Objects I can't find anything that resembles this inaccessible GPO.

If I run Group Policy Results wizard against a user that the Inaccessible policy applies to then I'm able to see the real name of the GPO and see all the settings that are being applied to the user from the GPO.

What may have happened which would cause an administrator to lose almost all access to a GPO and can the access be restored?


The permission on the Group Policy Container (the GPC, an Active Directory object) has been set to deny your read-level permission. The permissions on the filesystem object you've found (the "Group Policy Template", or GPT) can "come out of sync" with the permissions on the Active Directory object. (For some background, have a look at http://msdn.microsoft.com/en-us/library/aa374180(VS.85).aspx).

Fortunately, you can use a tool like ADSIEDIT to restore the permission on the GPC. Using ADSIEDIT you'll find a "groupPolicyContainer" corresponding to the GUID of the problematic GPO under the "CN=Policies" object of the "CN=System" object in the Domain NC of the domain the GPO resides in. (Install ADSIEDIT from the Support Tools on the Windows Server media, open it, drill into "Domain", then "CN=System" and "CN=Policies" and you'll find the GPC).

Using the "Security" tab of the "Properties" sheet for the GPC corresponding to the problematic GPO and use the "Default" button in the "Advanced" dialog to restore the default permissions.

If ADSIEDIT won't allow you to modify the permissions (probably displaying an oddball error message like "An invalid directory pathname was passed"), then likely someone placed a "Deny / Full Control" permission onto the object. The dsacls command with the arguments CN=GUID-OF-THE-PROBLEMATIC-GPO,CN=Policies,CN=System,DC=your,DC=domain,DC=com will report the permissions. Search for the errant "Deny" and "FULL CONTROL" entry and use the /R user-or-group-namme parameter on dsacls to remove the permissions associated with that user or group. If it's really messed up then you'll probably have to use the Windows Server 2008 ADAM / AD LDS version of dscals with the /takeownership argument to take ownership of the object).


Alternatively login with a brand new user account setup as an Enterprise/Domain admin/other administrative group which does still have access to the GP, then open GP Management and reset the permissions for the users which get the "Inaccessible" error.


Just an addition to Evan's great answer, that you can find the GUID of the parent policy in Group Policy Manager. Choose the policy, go to the Details tab and look for Unique ID. From there, you can drill down to the exact policy component you are looking for, if you had specified permissions further down the policy.


I had the same issue and discovered I had forgotten I targeted the GPO to a specific security group using "Security Filtering" tab in the group policy. Change this to Authenticated Users and the message disappeared!