Re: GPO Management Delegation

I would also add that using a user that is a member of the group in question,
I can link an existing GPO no problem. The account just gets an "Access
Denied" when attempting to create a new GPO.

"sevensixtwo187" wrote:

Everyone,

I really appreciate all of the responses! However, I have reviewed and
followed all of these documents. I checked the permissions on the Policy
folder in SYSVOL and the group in question does indeed have "Write"
permission on that folder.

"Meinolf Weber" wrote:

Hello sevensixtwo187,

Also have a look here:
http://technet.microsoft.com/en-us/library/cc737014.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Hello,
I have what I consider an interesting and frustrating problem. I have
attempted to grant some non domain admin users that are OU admins the
ability
to create and link GPOs in the OU they administer. I have followed
the
procedure outlined by Microsoft. I.E. I have added the Security Group
they
belong to to the "Group Policy Creator/Owners group" I have also added
them
to the delegation tab for Group Policy object creation in our domain
and I
have granted them the right to link GPOs in GPMC. When you right
click on
the OU they administer and attempt to Create & Link a new GPO, it is
not
grayed out and it will ask for the name of the new GPO. But, once you
name it
and click "OK", it will then give an "Access Denied" error. If this is
attempted on any other OU, the GPO actions are grayed out. I have
reasearched and double checked everything but it does not work and I
cannot
find anything that sticks out as being wrong. It is almost as if the
permissions are "halfway" in place. Any thoughts, ideas or
suggestions would
be greatly appreciated.
Thank you!




.

Relevant Pages

  • Re: Help with GPO problem! PLEASE!!
    ... Can you create a new GPO?? ... If so use it to compare permissions to the two ... > Configuration information could not be read from the domain controller, ... Failed to open the Group Policy Object. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO and Group Policy
    ... There are plenty of explanations of setting Share and NTFS ... Setting Special Permissions are not really any harder (after you do Standard ... You can ONLY LINK a GPO to a 'container', either a Site, Domain, or OU. ... The ONLY way you can use Groups with Group Policy (yes we know it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Win2003 "cannot access the file gpt.ini"
    ... think a certain antivirus program messed the permissions up. ... fine, so we created a new blank GPO, then copied its gpt.ini back to the ... > I have installed Windows Server 2003 as a "first server on the network". ... > Windows cannot query for the list of Group Policy objects. ...
    (microsoft.public.windows.server.setup)
  • Re: LoopBack policy
    ... If you are familiar with the notion of security filtering of a GPO, then this is the same thing. ... Whereas normally, in order to process a GPO, a computer or user needs the Read and Apply Group Policy permissions, what you can also do is create an explicit Deny ACE on the GPO that you are implementing the loopback user settings with. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO and Group Policy
    ... Herb can you give me instructions on how to do this. ... You can ONLY LINK a GPO to a 'container', either a Site, Domain, or OU. ... The ONLY way you can use Groups with Group Policy (yes we know it ... This is called FILTERING (when you use Group Permissions). ...
    (microsoft.public.windows.server.active_directory)
Loading