Re: GPO Management Delegation

Tech-Archive recommends: Fix windows errors by optimizing your registry

In news:02F99281-87D3-41F8-9498-1BB99CF3D0D7@xxxxxxxxxxxxx,
sevensixtwo187 <sevensixtwo187@xxxxxxxxxxxxxxxxxxxxxxxxx> requesting assistance, typed the following:
It is just for the parent. Using a test account that should be able
to create GPOs but can't, I COULD create a folder in the Policies
folder. This is indeed perplexing.

Not necessarily. Matter of fact, it makes sense because domain (not local) GPOs have two parts, the Group Policy Container that's in Active Directory, and the Group Policy Templates, that you see in the Sysvol folder under the Policies folder. So there are actually two sets of permissions that govern what can be done with a GPO.

Also, if you think about it, when you use the delegation wizard, there's certain nuances to be dealt with, such as inheritance. One example is if you delegate to a specifi OU, it will not apply to child OUs. You would have to delegate the child as well if you want them to have that ability. But that doesn't appear to be the issue here.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23601858.html

What tools are they using to ceate the GPO? GPMC or in the ADUC? Or did you simply create a separate MMC for them and copied over the necessary ADUC files (adprop.dll and dsadmin.dll) and the MMC file to their desktop or Start menu? If so, do they have local desktop admin rights? Have the users been blocked in a Rights somewhere, possibly part of another group, concerning accessing a DC remotely?

Ace

.

Relevant Pages

  • Re: GPO Management Delegation
    ... I COULD create a folder in the Policies ... GPOs have two parts, the Group Policy Container that's in Active Directory, ... delegate the child as well if you want them to have that ability. ... GPMC or in the ADUC? ...
    (microsoft.public.windows.server.active_directory)
  • Unable to add/edit templates
    ... applies GPOs etc. ... Templates folder was empty whne I looked in the GPMC. ... automatic update of ADM files" policy has been enabled and the "always ...
    (microsoft.public.windows.group_policy)
  • Re: Folder Redirection/Offline Files for Users not in GPO
    ... being in a particular location could have an effect insofar as GPOs go. ... That would certainly not be a desired result of implementing Folder ... Redirection. ... The user accounts need to be in the OU the Redirection Policy will apply ...
    (microsoft.public.windows.server.active_directory)
  • XP Embedded ignoring policies?
    ... Users are getting their policies by specific GPOs, ... setting in that seems to be ignored: Folder redirection for My Documents ... If I use the same user on an XP Pro box, redirection correctly works. ...
    (microsoft.public.windows.terminal_services)
  • Re: How to ... 2nd request
    ... > I appreciate your clarification and views on my answer Glenn. ... >> OUs and GPOs, ... >> There are two policies you can set to acheive the desired results. ... >> the workstations will not revert back to their default state. ...
    (microsoft.public.windows.server.general)