November 12

How to Fix GPO Sysvol Permissions Error

Problems:

In a multi domain controllers Forest, some of the domain controllers have the following error

The SYSVOL permissions of one or more GPO’s on this domain controller are not in sync with the permissions for the GPO’s on the Baseline domain controller.

 

The Cause:

Domain controllers create two Domain Admin accounts with permissions on the GPOs. You can not see them  in the GUI but running icacls {GPO UID}, you can see two Domain Admin accounts.

In GUI, you only see one Domain Admins account

Run CMD in elevated mode,  you can see there are two main admins account

icacls “{GPO UID}”

The Solutions

First, remove both domain admin account

icacls “{GPO UID}” /remove:g “<localdomain>\Domain Admins”

Second,  add a single Domain Admin account back to the GPO

icacls “{GPO UID}” /grant “<localdomain>\Domain Admins”:(OI)(CI)(F)

Third, do the same on the other affected Domain controllers.

Finally, wait or manually forced replication again with these two commands

repadmin /syncall

repadmin /syncall /AdePq