1

We inherited a network with badly damaged GPOs across 3 DC's (all WinServ 2016). We receive an "Access Denied" error when using GPOs, and the permissions of the SYSVOL folder show signs of tampering. I have attempted a D2 and D4 restore, following these instructions: https://docs.microsoft.com/en-US/troubleshoot/windows-server/group-policy/force-authoritative-non-authoritative-synchronization

However the issue persists.

The thing is, there are no group policies present other than the default 2. So what I would really like to do is reset the entire GPO system to default, rebuild the SYSVOL folder entirely from scratch to receive default permissions, and then perform another D4 authoritative sync. Is this possible? How can it be done?

TechnoNewbie
  • 23
  • 3
  • 1
    dcgpofix https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dcgpofix – Greg Askew Apr 22 '22 at 18:22
  • 1
    This is one of those times when the best course of action is to open a support case with Microsoft. Don't take action that may make things worse, or worse yet, make things unrecoverable. – joeqwerty Apr 22 '22 at 18:34

1 Answers1

2

That's quite a broad question. Recreating SYSVOL is not just one simple step. Here is the documentation for this whole process: https://docs.microsoft.com/en-us/troubleshoot/windows-server/group-policy/rebuild-sysvol-tree-and-content-in-a-domain

Resetting the default domain policies is much easier. Use the dcgpofix tool:

dcgpofix /ignoreschema /target:both
stackprotector
  • 445
  • 1
  • 3
  • 20
  • Upon running this I receive an error: Unable to create the file or directory C:\Windows\SYSVOL\domain.site\Policies. The system cannot find the path specified. I can confirm that a junction exists at c:\windows\sysvol\domain.site which points to c:\windows\sysvol\domain\ – TechnoNewbie Apr 22 '22 at 18:40
  • I'll proceed with the link to rebuild SYSVOL and report back here. – TechnoNewbie Apr 22 '22 at 18:52
  • ultimately this answers my question to rebuild sysvol even if the access denied error persists. – TechnoNewbie Apr 22 '22 at 21:36