Access denied when attempting to create a new GPO

[Guest]

I have one user that cannot create new GPO's for his OU.
Used delegation of control wizard to grant full control of the local OU.
Getting following error when trying to create new GPO.

You do not have permission to perform this operation
Access is denied.
Can modify or add existing GPO's

Any ideas on how to troubleshoot?
Thanks

 

[Guest]

Quoted from MCPMag:

"The “old-school†way of doing this was placing someone’s user account in
the Group Policy Creator Owners security group, or, if the domain was in
Native mode, you could put a group that person was in inside the Group Policy
Creator Owners group. However, this approach had several drawbacks. First, if
the domain wasn’t in Native mode, you couldn’t nest another Global Group
inside the Group Policy Creator Owners security group; you had to
specifically plunk in each specific user account. Next, the Group Policy
Creator Owners actually has more rights over sensitive AD locations than it
needs. This could be a potential security risk in the wrong hands.

The second way to delegate GPO-creation rights is through the GPMC, which
has a new way to add anyone to create GPOs in the domain of your choice, even
administrators in other domains. Simply click on the Group Policy Objects
node, then click the Delegation tab. Click Add and plug in any user you want
to grant access to to create GPOs in this domain."

Here's the full article:
http://mcpmag.com/features/article.asp?EditorialsID=404