Enterprise Domain Controllers Group and Group Policies

Myself and a colleague Mark Empson have been developing a New Service entitled a GPO Health Check that looks at every aspect of the health of your Group Policies. Well one of the tests involved was checking for any Group Policies that had only the Read Group Policy Object permission and not the Apply Group Policy Permission.

Once this test had run through we found we had virtually every group policy in our test environment registering as having this Read only permission set against a group called the

Enterprise Domain Controllers “ Group. On further investigation this proved to be absolutely correct and is the default setting for a Windows 2003 and Windows 2008 and Windows 2008 R2 environment.

This Read only access is required for Group Policy Modeling  which is a feature of the Group Policy Management Console (GPMC) that simulates the resultant set of policy for a particular configuration. The simulation is performed by a service that runs on domain controllers. To perform the simulation across domains, the service must have read access to all Group Policy objects (GPOs) in the forest

However an important proviso is associated with this which I was blissfully unaware of .

If you are upgrading from a 2000 Forest to 2008 or 2008r2 only  NEW group policies will have this “Enterprise Domain Controllers” permission of Read applied to them. All group policys created previously will not have this permission applied to them.

This will be exhibited by the Group Policy GPMC snap –in informing you that the “Enterprise Domain Controllers “ does not have Read access to the Group Policy.

To remove this error message all you need to do is use a script to update the Group Policy permissions across your Enterprise.

The details of this script , plus also details to run this from the command line are available here.


Well I did not realise the above until just the other day, so another tidbit to store away :).