The GPMC (Group Policy Management Console) issues the following warming:
The Enterprise Domain Controllers group does not have read access to this GPO. The Enterprise Domain Controllers group must have read access on all GPOs in the domain in order for Group Policy Modeling to function properly. To learn more about this issue and how you can correct it, click Help.
When you upgrade a Windows 2000 server to Windows Server 2003, the Enterprise Domain Controllers group is NOT granted Read permission on the existing Group Policies.
NOTE: New Group Policies are properly ACLed.
To resolve this issue:
1. Open a CMD.EXE window.
2. Type cd /d "%programfiles%\gpmc\scripts" and press Enter.
3. Type Cscript GrantPermissionOnAllGPOs.wsf "Enterprise Domain Controllers" /Permission:Read /Domain:JSIINC.COM and press Enter, replacing JSIINC.COM with your domain.
4. You receive:
Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Warning! By executing this script, all GPOs in the target domain will be updated with the desired security setting. Both the Active Directory and Sysvol portions of the GPO will be updated. This will result in the Sysvol contents of every GPO being copied to all replica domain controllers, and may cause excessive replication traffic in your domain. If you have slow network links or restricted bandwidth between your domain controllers, you should check the amount of data on the Sysvol that would be replicated before performing this task. Do you want to proceed? \[Y/N\]5. When you type Y, you receive information like:
Updated GPO 'Default Domain Policy' to 'Read' for Enterprise Domain Controllers Updated GPO 'Default Domain Controllers Policy' to 'Read' for Enterprise Domain Controllers