GPO Inaccessible error message in the GPMC

This may be seen within the Group Policy Management Console (GPMC) when the permissions on the GPO have been changed. By default the Authenticated Users group (which covers all Users and Computers within the domain) has Read and Apply group policy permissions. This means that the GPO will apply to any users or computers within scope. i.e. where the GPO is linked to a Site, Domain or OU that the user/computer is a member of.

If a GPO admin has removed these permissions which may have been done in an attempt to apply GPO filtering AND if the user seeing the message is not a Domain Admin then this message may appear. Domain Admins by default have Read access to GPOs hence why they should not normally see this message, however if their Read permissions have also been removed then they would get the error.

GPO inaccessible

Resolution

Within the GPMC click on the GPO in question, then go to the delegation tab, click on the Advanced button on the bottom right of the screen and add the Authenticated Users group back in and give them Read access.

Group Policy Permissions
Note, Authenticated Users should now always have at least read permissions as computers processing the GPO need to be able to read the policy. This did not used to be the case, however Microsoft implemented a security update in June 2016 which changed this behaviour.

One Comment

  1. Hi Peter,
    Nice day to you!.

    Recently i got error on one of the desktops of a OU showing Error Guid of GPO is not accessible check permission,( later i started getting from all desktop same error). along with sysvol share folder full path.
    I request you kind help in understanding these errors.

    1.How do we directly resolve this ( means permission issue)?
    and in my case it is resolved by firewall filter ( by network team , however i did not notice what they changed it.) how to find that change?

    2.Very strangely in my carrier i saw first time GPO working on OU, however that OU is not seen on applied OU on the same OU.

    OR simply one of the GPO that is applying setting on OU,that is no where linked on that OU.

    Regards
    Raj

    Bangalore

    Thanks
    Raj
    Bangalore

Leave a Reply

Your email address will not be published. Required fields are marked *