"Permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory" message when you run GPMC

S’applique à : Microsoft Windows Server 2003 Web EditionMicrosoft Windows Server 2003 Standard Edition (32-bit x86)Microsoft Windows Server 2003 Enterprise Edition (32-bit x86) Plus

Symptoms


When you run Group Policy Management Console (GPMC) in a Windows Server 2008 or Windows Server 2003 domain, and then you click either Default Domain Policy or Default Domain Controllers Policy, you receive one of the following messages:
  • The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the permissions in SYSVOL to those in Active Directory, click OK.
    You receive this message if you have the permissions to modify security on the Group Policy Objects (GPOs).
  • The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. Contact an administrator who has rights to modify security on this GPO.
    You receive this message if you do not have the permissions to modify security on the Group Policy Objects (GPOs). 

Cause


This issue occurs for one of the following reasons:
  • The access control list (ACL) on the Sysvol part of the Group Policy Object is set to inherit permissions from the parent folder.
  • The Special permission (Listobject) is set for the Authenticated Users group. However, the Authenticated Users group is missing from the Delegation tab of the Group Policy Object. 

Resolution


If you have permissions to modify security on the default GPOs, click OK in response to the message that is mentioned in the "Symptoms" section. This action modifies the ACLs on the Sysvol part of the Group Policy Object and makes them consistent with the ACLs on the Active Directory component. In this situation, Group Policy removes the inheritance attribute in the Sysvol folder.


If you still receive the message, follow these steps:
  1. Make sure that you are running the latest service pack for the system. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    968849 How to obtain the latest service pack for Windows Server 2008



    889100 How to obtain the latest service pack for Windows Server 2003
  2. Check whether the Listobject permission is set for the Authenticated Users group and whether the Authenticated Users group is missing from the Delegation tab of the Group Policy Object.  

    b


    a

    If these conditions are true, take one of the following actions:
    1. Click Restore defaults to reset the permissions to defaults.
    2. Remove the Authenticated Users group that has the List object permission (not recommended).