This article was previously published under Q294257
When you log on using a Domain Administrator account, if you try to open a policy, the following message may be displayed:
Inaccessible GPO - Access Denied.
When you try to open the properties of this Group Policy object (GPO), you may receive the following error message:
Group Policy Error:
Failed to open the Group Policy Object. You may not have appropriate rights.
This issue may occur if either of the following conditions exist:
The Domain Administrators group has been denied access to the GPO.
The primary domain controller (PDC) operations master (also known as flexible single master operations or FSMO) of your Windows 2000 domain is down.
To resolve this issue, use the method for your cause.
The Domain Administrators Group Has Been Denied Access to the GPO
Use an account that has the appropriate permissions to restore the permissions to the GPO. If no other accounts have permissions to restore the permissions to the GPO, reset the permissions for the account or group that has been denied access to the GPO.
You can use the DSACLS tool that is included in the Support Tools for Windows 2000 and Windows Server 2003, to remove the Deny Access permissions from the Domain Administrators group. You must know the distinguished name (also known as DN) of the GPO to use this tool. Use the ADSIEdit.msc tool that is included in the Support Tools for Windows 2000 and Windows Server 2003, to determine the distinguished name of the GPO in Active Directory.
To reset permissions:
Start ADSIEdit.msc on the PDC emulator.
NOTE: To determine the PDC emulator operations masters role owner, right-click the domain name in the Active Directory Users and Computers snap-in, click Operations Masters, and then click the PDC tab.
Under ADSIEdit, click Domain NC, and then locate the following container:
Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows 2000 Server