Tuesday, 24 June 2014

DirectAccess GPO's Error "Required GPO Permissions" not Enterprise Admin

You are deploying DirectAccess in a multi-domain, single forest environment. Clients and users reside in one domain, and the DirectAccess Servers in another. Both domains have two way trusts. The forest root domain is separate to these domains and hosts the Schema Master and the Domain Naming master FSMO role.

When you run the DirectAccess wizard and are about to commit changes to the GPO's you receive the error "Required GPO Permissions" on the client settings GPO.



 
The cause here is that the user account provisioning DirectAccess is not a member of the Enterprise Admins forest wide group. Simply add the user account to the Enterprise Admins group, or log in with an elevated account that natively has this level of access. By default the Enterprise Admins group has Full Control access to all of the domain in the forest therefore it is advisable to limit membership.
 
When you try to re-run the wizard with the correct credentials it should not allow you to continue.