Re: Delegate permission to full control OU (GPO):getting access is denied. Server Operator can do it.
From: Tim Springston [MS] (tspring_at_online.microsoft.com)
Date: 08/29/04
- Next message: John Beevers: "RE: DC space"
- Previous message: darren: "Password complexity..domain policy"
- In reply to: Marlon Brown: "Re: Delegate permission to full control OU (GPO):getting access is denied. Server Operator can do it."
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 29 Aug 2004 13:18:12 -0500
That would certainly do it as well. Since there are two components to group
policies (the AD one and the file systen one in the SYSVOL share) the user
must have allow permissions to both for that action.
-- Tim Springston Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message news:ekadRsliEHA.704@TK2MSFTNGP09.phx.gbl... > Found the problem: > Compared \sysvol with a clean Win2000 setup and it seems somebody removed > GrouPolicy Creator owner from the \sysvol share. > "Marlon Brown" <marlon_brown@hotmail.com> wrote in message > news:e00pcpeiEHA.596@TK2MSFTNGP11.phx.gbl... >> Yes, the permissions below are checked for MyAdmin, but he is still > getting >> the 'access is denied' message. >> I created a copy account named TestMyadmin (domain user only and member >> of >> ControlOU group, which has full-control over that OU) and the problem >> persists. Any other suggestions ? >> >> "Tim Springston [MS]" <tspring@online.microsoft.com> wrote in message >> news:O32mW%23aiEHA.2448@TK2MSFTNGP12.phx.gbl... >> > Hi Marlon- >> > >> > This could be dependant on other security group memberships which that >> user >> > is a member of, however, the granular permission that the user should > need >> > is "Create groupPolicyContainer objects" and "Delete > groupPolicyContainer >> > objects". >> > >> > This is viewable from Active Directory Users and Computers (DSA.MSC), >> from >> > the properties of the OU->Security folder tab->Advanced. >> > >> > Please repost if adding that user to have those Allow permissions does > not >> > help. >> > >> > -- >> > Tim Springston >> > Microsoft Corporation >> > This posting is provided "AS IS" with no warranties, and confers no >> rights. >> > >> > >> > "Marlon Brown" <marlon_brownj@hotmail.com> wrote in message >> > news:%23ve0CdZiEHA.2764@TK2MSFTNGP11.phx.gbl... >> > >I go to a CertainOU and I attempt to give Myadmin ability to full > control >> > > that one, including create GPOs. >> > > MyAdmin is member of Group Policy Creator Owner. >> > > >> > > When Myadmin right click the OU and attemp to create "new" to create >> > > a >> new >> > > group policy, he is getting message 'You do not have permission to >> perform >> > > this operation - access is denied'. >> > > >> > > What's wrong ? >> > > >> > > If I add the fellow to the "Server Operators" group he is able to >> > > accomplish >> > > the task just fine. I am unsure if he is successfull because the > Server >> > > Operator has read+execute permissions to Sysvol ? I see that >> Authenticated >> > > user also has r+x to Sysvol and therefore that doesn't explain... >> > > >> > > >> > > >> > >> > >> >> > >
- Next message: John Beevers: "RE: DC space"
- Previous message: darren: "Password complexity..domain policy"
- In reply to: Marlon Brown: "Re: Delegate permission to full control OU (GPO):getting access is denied. Server Operator can do it."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
