Reputation: 473
Group Policy Object Creation Failed - This security ID may not be assigned as the owner of this object
We have a Windows SBS 2008 domain controller (the only one in our domain) and I'm trying to create a new Group Policy Object to handle printers. Every time I attempt to create a new GPO, either in the Group Policy folder directly or the linked in one of the organizational folders I receive the following message - "This security ID may not be assigned as the owner of this object." I've been looking around but I haven't found anything that works. Most results for this search indicate that people are having trouble with Folder Redirection policies. We have Folder Redirection enabled, but every workstation in the domain is running Windows 7 Professional, and no one is having trouble with the redirection policy. I've double-checked the sysvol directory and both SYSTEM and Administrators have the appropriate rights. I've added the sysadmin account to the Group Policy Creator Owners group (which again, has rights to sysvol) but still nothing. I've been at this all day and I'm coming up completely empty. There's nothing in the Event View logs, and I even created another administrative level user or simply copy/pasting an existing GPO. Same message everytime. This only started happening this week. Does anyone have any idea? I'm starting to get desperate.
Upvotes: 0
Views: 11842
Answers (2)
Reputation: 1033
I just encountered this issue. Google finds solutions (such as here) suggesting you verify you or your security group (domain admins, builtin\administrators) have Group Policy permissions in the Default Domain Controllers Policy at Computer Config > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Restore files and directories.
In my case, I also had to confirm the same permissions in my Default Domain Policy. I'm not sure how they changed, but after adding the group and forcing a Group Policy refresh (gpupdate /force), the problem was resolved.
Upvotes: 0
Reputation: 473
Looks like I managed to solve it. Probably not ideal, but I'll share in case anyone else has a similar issue. Looks like the permissions were not correct as I had assumed. I went through again and granted Full Control to the Group Policy Creator Owners group on the following three folders: C:\Windows\sysvol\sysvol, C:\Windows\sysvol\sysvol\ourDomain.local, and C:\Windows\sysvol\sysvol\ourDomain.local\Policies. The last one, I set the rights to extend to subfiles and folders. After a quick logout to reset the permissions, I was able to create a new policy object.
Upvotes: 0
Related Questions
- Managed Service Account does not have enough permissions while adding ObjectAcessControl
- How to create GPO programmatically?
- Failed to open the Group Policy Object. You may not have appropriate rights
- add security groups to folder issue / System.Security.Principal.IdentityNotMappedException:
- Configure Group Policy Object with PowerShell
- Using Group Policy Object (GPO) via .NET\C#
- Attempt by security transparent method 'x' to access security critical method 'System.Runtime.InteropServices.GCHandle.Alloc(System.Object)' failed
- COM Interops InvalidCastException with IGroupPolicyObject
- Error 5021 creating a "Managed Service Account"
- Error adding policy file to GAC