I had a bizarre problem somewhat like this when I upgraded my test domain. Domain controllers lost the ability to apply machine group policy. User policy applied fine.
It turns out that “bypass traverse checking” had somehow gotten turned off in the domain controller default policy. This didn’t affect the DCs when they were server 2003 because computers had permissions all the way down the SYSVOL path to the “policies” folder. However, Server 2008 R2 (don’t know about 2008) makes SYSVOL\{YourDomainFQDN} a reparse point to “c:\Windows\SYSVOL\domain”, and the permissions along the new path are more restrictive than in previous versions of windows. The moral of the story is that there are now two sets of permissions that control access to the stuff under SYSVOL , and make sure you haven’t turned off “bypass traverse checking”. Ken Cornetet 812.482.8499 To err is human - to moo, bovine. From: Richard Stovall [mailto:rich...@gmail.com] Sent: Monday, March 14, 2011 6:15 PM To: NT System Admin Issues Subject: Re: Sysvol perms in 2008 From what I can tell it shouldn't be applicable to the issue you're seeing, but out of curiosity did you run "adprep32 /domainprep /gpprep" when you upgraded the domain? On Mon, Mar 14, 2011 at 1:39 PM, Kennedy, Jim <kennedy...@elyriaschools.org<mailto:kennedy...@elyriaschools.org>> wrote: I am having GPO weirdness. Desktops are getting denied on accessing my Software Policies. I THINK this started with our upgrade to 2008 R2 DC’s. Did perms change somewhere along the way and I missed it…it almost seems as if computer accounts are no longer members of Authenticated Users. I have always had my basic software installs like flash and whatnot in sysvol/netlogon. That is what is failing now. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin