Re: Delegation of rights not providing rights to edit GPO's

From: Mike Aubert (mikenews2_at_2000trainers.com)
Date: 02/24/04 

Date: Tue, 24 Feb 2004 10:26:25 -0600

Duh, brain cramp...

Just to be clear, to set the permissions on an existing GPO, select the GPO
from the list of linked GPOs and then click properties. On the security tab
give the user/group the Full Control (or just Write if you don't want them
to be able to change security permissions) permission and then click OK.
This will set the permissions on the
domain.name/System/Policies/{GUID_of_GPO} container and
SYSVOL\Policies\{GUID_of_GPO}folder for you.

Have a look at this KB article for more info:

HOW TO: Delegate Authority for Editing a Group Policy Object (GPO)
http://support.microsoft.com/?id=221577

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
mikenews2@2000trainers.com

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mike Aubert" <mikenews2@2000trainers.com> wrote in message
news:OyWnLAv%23DHA.4060@TK2MSFTNGP10.phx.gbl...
> Correct - that group only has the right to create GPOs (as indicated in
that
> link I posted). The creator of a GPO is given rights to edit the GPO. So,
if
> a user that is a member of Group Policy Creator Owners creates a GPO, the
> user will then have permissions to edit the GPO (but only that user - not
> the whole group).
>
> If you need to give someone permission to an existing GPO you have to give
> them permission on the domain.name/System/Policies/{GUID_of_GPO} container
> and SYSVOL\Policies\{GUID_of_GPO}folder.
>
> Mike
>
> ------------------------------------------------------------------
> Mike Aubert
> MCSE, MCSD, MCDBA
> mikenews2@2000trainers.com
>
> Note the "news2" in my email address is temporary and may be changed in
the
> future, remove it to email me at my Permanente address.
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Sabir Ahmedi" <sahmedi@ramapo.edu> wrote in message
> news:OyUkJ6u%23DHA.3500@tk2msftngp13.phx.gbl...
> > Thanks Mike,
> > I did that but it did not work. That group does not have rights to edit
> the
> > GPO's by default.
> >
> > Thanks for the suggestion though, any others,
> >
> > Sabir.
> >
> > "Mike Aubert" <mikenews2@2000trainers.com> wrote in message
> > news:O23C35i%23DHA.2432@TK2MSFTNGP09.phx.gbl...
> > > This is normal - the GPO is not stored in the OU - only linked. A GPO
is
> > > made up of Active Directory objects located in
> domain.name/System/Policies
> > > as well as files and folders in SYSVOL. In order to edit/create GPOs
you
> > > need to have permissions to these objects/folders.
> > >
> > > Have a look at the notes on this page (it's from XP's documentation
but
> is
> > > applicable to Windows 2000 Server - I'm still hunting for the 2000
link)
> > > about Group Policy Creator Owners:
> > >
> > >
> >
>
http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/del_create.asp
> > >
> > > ------------------------------------------------------------------
> > > Mike Aubert
> > > MCSE, MCSD, MCDBA
> > > mikenews2@2000trainers.com
> > >
> > > Note the "news2" in my email address is temporary and may be changed
in
> > the
> > > future, remove it to email me at my Permanente address.
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > >
> > > "Sabir Ahmedi" <sahmedi@ramapo.edu> wrote in message
> > > news:u%23ez%23si%23DHA.3536@TK2MSFTNGP10.phx.gbl...
> > > > Hi all,
> > > > I delegated rights to an OUand its child OU's to a specific group.
> But
> > > the
> > > > user in that group is uanble to edit the GPO's inthe OU. I then
found
> > > > another palce to assign rights to edit the OU GPO's.
> > > >
> > > > Is this by design or am I doing something wrong? Its just that I
feel
> > > this
> > > > should have been taken care of by the delgation.
> > > >
> > > > Thanks,
> > > >
> > > > -sabir.
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: restrict access to view ad
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... The GPO can forbid snap-in but the user also has access of viewing ... permissions so that I can start testing what impact to the user will ...
    (microsoft.public.windows.server.general)
  • Re: Loopback Processing
    ... As long as loopback is set in one GPO, ... >to be set in any other GPO that falls with the hierarchy? ... >why does it still apply the User Configuration settings. ... >>computer provided it has permissions to the GPO's. ...
    (microsoft.public.windows.group_policy)
  • Re: dns administration delegation
    ... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ... these admins full access to their local dns servers (which are also domain ...
    (microsoft.public.windows.server.dns)
  • Re: dns administration delegation
    ... I'm more concerned about these admins to have the ... early in the deployment of DNS servers and then seldom if every ... permissions that grant unnecessary rights. ... I wasn't aware of the GPO ...
    (microsoft.public.windows.server.dns)
  • Re: Computer componet of GP not being applied
    ... would expect that anything in the Computer Configuration portion of the GPO ... By "non-standard permissions", I mean what are the permissions on the GPO? ... If you look at the properties of the OU in which the Terminal Server resides ... > It all seems to be linked to the local user groups on the terminal server. ...
    (microsoft.public.windows.group_policy)