Hi @kboroumand 

Are any policies that you did not change created on this domain controller? Or are these policies created on a domain controller with a higher version operating system?

The last time I created a policy was several months ago but I used the same user and the same operating system. I only have one domain controller in this network environment. @hasanemresatilmis 

Hi @kboroumand,

Could you check the configurations below?

1. ADSI Edit -> Default Naming Context -> DC=<Domain Name> -> CN=System -> CN=Policies

2. Right click to Policies and select Properties

3. Click to Security tab

4. Check your user or group permissions

Hi @hasanemresatilmis ,

Sorry for my late reply. 

I checked the ADSI Edit permissions for CN=Policies. My admin user has full control of the objects listed here. 

Hi @kboroumand,

Do you use an antivirus software on DC? Maybe antivirus software is protecting group policy files.

Can you create a new group policy?

Hi @hasanemresatilmis ,

Tuning off the anti virus is the first thing I tried. I even uninstalled it to be sure but that didn't seem to work. When I try to create a new group policy I get an access denied error like in the attached picture.

Hi @kboroumand,

Could you try these steps:

For Create, Edit and Delete New GPOs

1. Active Directory Users and Computers -> <Domain Name> right click -> Delegate Control -> Next -> Add -> Enter Your User Name -> Check Names -> OK -> Next

2. Select Delegate the following common tasks:
a. Manage Group Policy Links

b. Generate Resultant Set of Group Policy (Planning)

c. Generate Resultant Set of Group Policy (Logging)

3. Next -> Finish -> Logoff -> Logon

4. Group Policy Management -> Group Policy Objects -> Delegation tab (Right side) -> Add -> Enter Your User Name -> Check Names -> OK

For Edit Old GPOs

Select policy which you want to edit -> Delegation tab (Right side) -> Add -> Browse Your User Name

Permissions : Edit settings, delete, modify security -> OK

Hi @hasanemresatilmis ,

I followed your instructions.

Still getting this error when trying to edit group policy:

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.GroupPolicy.AdmTmplEditor.IGPMAdmTmplEditorCallback.ApplyChanges()
at Microsoft.GroupPolicy.AdmTmplEditor.Editor.SaveChanges()
at Microsoft.GroupPolicy.AdmTmplEditor.Editor.buttonOK_Click(Object sender, EventArgs e)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
Microsoft.GroupPolicy.AdmTmplEditor
Assembly Version: 6.3.0.0
Win32 Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/Microsoft.GroupPolicy.AdmTmplEditor/v4.0_6.3.0.0__31bf3856ad364e35/Microsoft.GroupPolicy.AdmTmplEditor.dll
----------------------------------------
System
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4210.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4210.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4190.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.8.4240.0 built by: NET48REL1LAST_B
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
----------------------------------------
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
Assembly Version: 4.0.0.0
Win32 Version: 4.8.3761.0 built by: NET48REL1
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

Hi @kboroumand,

Did you check security and sharing permissions these folders?

C:\Windows\SYSVOL\Sysvol\<DomainName>\Policies

\\DomainName\SYSVOL\<DomainName>\Policies

Could you give full control permission to SYSVOL folder for the user that you logged on?

Hi @hasanemresatilmis,

I just double checked to be certain. 

My admin user has R/W access to them.  

Hi @kboroumand, 

You have checked everything below and the problem was not solved.

1. The user for member of Group Policy Creator Owners and Domain Admins group

2. Operating System version

3. ADSI Edit permissions for CN=Policies

4. Antivirus software

5. Active Directory Users and Computers delegations for all domain

6. Group Policy Management delegations

7. SYSVOL folder security and sharing permissons

I was very surprised to this situation. 

Finally, you can add a new user to the Domain Admins group and try to create a policy.

If that doesn't work, I wish you good luck

Hi @hasanemresatilmis ,

Hope you are doing well.

I got a chance to work on this issue again today and I noticed an error that you may be able to help me with. When I look at the Status tab of my GPMC it is listed that there are 0 domain controllers with replication in progress and 0 domain controllers with replication in sync.

I will add a screenshot.

Any help would be appreciated. 

Hi @kboroumand,

There is no problem here. Because you have only one domain controller.

If you send me pictures which about for your user the below, I will try to help you for this problem.

1. Groups which your user's joined

2. Operating System version

3. The user's ADSI Edit permissions for CN=Policies

4. The user's SYSVOL folder security and sharing permissions

5. The user's Active Directory Users and Computers security permissions (DomainName -> System -> Policies)

6. The user's Group Policy Management delegations

7. A specific group policy delegation tab

Hi @hasanemresatilmis ,

Thanks I appreciate your time:

1. Administrators, Domain Admins, Domain Controllers, Enterprise admins, Group Policy Creator Owners, RDS Management Servers, Remote Desktop users, Server Operators, terminal server License servers, Windows Authorization Access Group.

2. Windows Server 2012 r2 Essentials.

3. I right click on the CN=Policies folder-->choose properties-->then advanced: I will send you a screenshot. 

4. SySVOL permissions also attached screenshot. (I crossed out the name of my admin user acct)

5. AD policies permissions also attached screenshot.

6. GP Delegations also attached screenshot. (crossed out my admin username)

7. Specific policy delegation also attached with admin username crossed out. 

Hi @kboroumand,

If your user is member of all of these groups, there should be no problems.

Could you check that configuration below?

Active Directory Users and Computers -> System -> Right click Policies and then Properties -> Security tab -> Permission of Domain Admins

Active Directory Users and Computers -> System -> Policies -> Right click a GPO and then Properties -> Security tab -> Permission of Domain Admins

The permissions of Domains Admins must be Read, Write, Create Child Object, Delete Child Object.

Also if these was changed, you should check the Default Domain Policy and Default Domain Controller Policy.