Error Message: Failed to Create New Group Policy Object. You May Not Have Appropriate Rights. Details... (313336)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
This article was previously published under Q313336 SYMPTOMS
When a Windows 2000 Active Directory domain administrator tries to create a brand new Group Policy object (GPO) and link it to an organizational unit, the administrator may receive the following group policy error message:
Failed to create new Group Policy Object. You may not have appropriate rights.
Details:
The security ID may not be assigned as the owner of this object
CAUSE
This behavior can occur if the administrator that is logged on has not been granted the SetRestorePrivilege privilege.
RESOLUTION- From one of your Windows 2000 domain controllers (DCs), start the Active Users and Computers snap-in.
- Right-click Domain Controllers, and then click Properties.
- Click on the Group Policy tab, click Default Domain Controllers Policy, and then click Edit.
- Open Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment, and then double-click the Restore files and directories user right.
- Add the userid of the administrator that was receiving the error to the list of users who have this right. Note that it is most preferable to grant this privilege to a group rather than to a user, and then make the user a member of the group.
- Force a policy refresh by running the secedit.exe /refreshpolicy machine_policy /enforce command.
- If the user has not yet logged off, the user must log off and then log back on to test whether or not he or she can now create a GPO.
STATUSThis behavior is by design.
| Modification Type: | Minor | Last Reviewed: | 10/13/2004 |
|---|
| Keywords: | kbenv kberrmsg kbnetwork kbprb KB313336 |
|---|
|