Error: 'The GPO cannot be exported due to insufficient modify rights in the GPO Security Filters'. (NETIQKB39684)

  • 7739684
  • 02-Feb-2007
  • 28-Aug-2007

Resolution

fact
NetIQ Group Policy Administrator 4.x

symptom
Error: 'The GPO cannot be exported due to insufficient modify rights in the GPO Security Filters'.

symptom
Error occurs when trying to export a GPO from the Repository that a user created.

cause

The security descriptor on the GPO is not correctly set when a GPO is created in the Repository.  The error message occurs because the ACL set on the GPO in the Repository does not allow the specific user account access to modify the entire GPO.

If a user creates a GPO in the Repository and the user is not a member of the Domain Admins or Group Policy Creator Owner group, Group Policy Administrator (GPA) adds the specific ACL of that user to the security descriptor of the GPO.  This simulates the access the user would get if it was part of the Group Policy Creator Owner group; however, GPA is not setting this specific ACL correctly.  The ACL is set with the scope 'This object only' instead of the scope 'This object and all child objects'.



fix

To workaround this issue:

  1. Check-out the GPO in the Repository.
  2. Right-click on the GPO and select Properties.
  3. Select the Security tab.
  4. Select the specific ACL and change the scope of the security from 'This object only' to 'This object and all child objects'.
  5. Check-in the GPO and perform the export.


note
A request has been submitted to development to address this issue in a future release of GPA.

Additional Information

Formerly known as NETIQKB39684