I recently accidently set added Authenticated Users = Deny Read on GPO object. As ‘Deny’ ACEs take priority over ‘Allow’ everyone was blocked including Domain and Enterprise Administrators!
After some research, trial and error we found that the following procedure can be used to restore permissions back to Domain Administrators.
- Log on the PDC emulator as Domain Admin.
- Get the DN of the problem object(s)
- Run an elevated command prompt
- Run dsacls <dn> /R “DOMAIN\Domain Admins”
- Run dsacls <dn> /G “DOMAIN\Domain Admins”:GA
- Locate the system object in the AD. GPOs are in the System Container.
- Restore permissions for the object.
- Check the object’s folder within SYSVOL and verify the permissions are up to date. If not then restore the permissions here too (I actually did this between 5 and 6 but according to Internet sources step 7 will do this).