Re: Delegation of rights not providing rights to edit GPO's
From: Mike Aubert (mikenews2_at_2000trainers.com)
Date: 02/24/04
- Next message: Losttech: "Win 2000 Clients Do Not Correctly Display Logon Banners"
- Previous message: Matt Vaughan: "Re: Problems applying a GPO for a user"
- In reply to: Sabir Ahmedi: "Re: Delegation of rights not providing rights to edit GPO's"
- Next in thread: Mike Aubert: "Re: Delegation of rights not providing rights to edit GPO's"
- Reply: Mike Aubert: "Re: Delegation of rights not providing rights to edit GPO's"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 24 Feb 2004 10:05:43 -0600
Correct - that group only has the right to create GPOs (as indicated in that
link I posted). The creator of a GPO is given rights to edit the GPO. So, if
a user that is a member of Group Policy Creator Owners creates a GPO, the
user will then have permissions to edit the GPO (but only that user - not
the whole group).
If you need to give someone permission to an existing GPO you have to give
them permission on the domain.name/System/Policies/{GUID_of_GPO} container
and SYSVOL\Policies\{GUID_of_GPO}folder.
Mike
------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
mikenews2@2000trainers.com
Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Sabir Ahmedi" <sahmedi@ramapo.edu> wrote in message
news:OyUkJ6u%23DHA.3500@tk2msftngp13.phx.gbl...
> Thanks Mike,
> I did that but it did not work. That group does not have rights to edit
the
> GPO's by default.
>
> Thanks for the suggestion though, any others,
>
> Sabir.
>
> "Mike Aubert" <mikenews2@2000trainers.com> wrote in message
> news:O23C35i%23DHA.2432@TK2MSFTNGP09.phx.gbl...
> > This is normal - the GPO is not stored in the OU - only linked. A GPO is
> > made up of Active Directory objects located in
domain.name/System/Policies
> > as well as files and folders in SYSVOL. In order to edit/create GPOs you
> > need to have permissions to these objects/folders.
> >
> > Have a look at the notes on this page (it's from XP's documentation but
is
> > applicable to Windows 2000 Server - I'm still hunting for the 2000 link)
> > about Group Policy Creator Owners:
> >
> >
>
http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/del_create.asp
> >
> > ------------------------------------------------------------------
> > Mike Aubert
> > MCSE, MCSD, MCDBA
> > mikenews2@2000trainers.com
> >
> > Note the "news2" in my email address is temporary and may be changed in
> the
> > future, remove it to email me at my Permanente address.
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> >
> > "Sabir Ahmedi" <sahmedi@ramapo.edu> wrote in message
> > news:u%23ez%23si%23DHA.3536@TK2MSFTNGP10.phx.gbl...
> > > Hi all,
> > > I delegated rights to an OUand its child OU's to a specific group.
But
> > the
> > > user in that group is uanble to edit the GPO's inthe OU. I then found
> > > another palce to assign rights to edit the OU GPO's.
> > >
> > > Is this by design or am I doing something wrong? Its just that I feel
> > this
> > > should have been taken care of by the delgation.
> > >
> > > Thanks,
> > >
> > > -sabir.
> > >
> > >
> >
> >
>
>
- Next message: Losttech: "Win 2000 Clients Do Not Correctly Display Logon Banners"
- Previous message: Matt Vaughan: "Re: Problems applying a GPO for a user"
- In reply to: Sabir Ahmedi: "Re: Delegation of rights not providing rights to edit GPO's"
- Next in thread: Mike Aubert: "Re: Delegation of rights not providing rights to edit GPO's"
- Reply: Mike Aubert: "Re: Delegation of rights not providing rights to edit GPO's"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
