The GPMC (Group Policy Management Console) issues the following warming:
The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPOs in the domain in order for Group Policy Modeling to function properly. To learn more about this issue and how you can correct it, click Help.
When you upgrade a Windows 2000 server to Windows Server 2003, the Enterprise Domain Controllers group is NOT granted Read permission on the existing Group Policies.
NOTE: New Group Policies are properly ACLed.
To resolve this issue:
1. Open a CMD.EXE window.
2. Type cd /d "%programfiles%\gpmc\scripts" and press Enter.
3. Type Cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers" /Permission:Read /Domain:JSIINC.COM and press Enter, replacing JSIINC.COM with your domain.
4. You receive:
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Warning! By executing this script, all GPOs in the target domain will be
updated with the desired security setting.
Both the Active Directory and Sysvol portions of the GPO will be updated.
This will result in the Sysvol contents of every GPO being copied to all
replica domain controllers, and may cause excessive replication traffic
in your domain.
If you have slow network links or restricted bandwidth between your domain
controllers, you should check the amount of data on the Sysvol that would
be replicated before performing this task.
Do you want to proceed? \[Y/N\]
Updated GPO 'Default Domain Controllers Policy' to 'Read' for Enterprise Domain Controllers