Delegating GPOs

[Mary Allio]

I've delegated an OU with some other OUs contained with it
to group A with all delegated rights.

On the OUs there are GPOs assigned. I've assigned FC
rights in AD Users and Computers on those GPOs to group A.

Group A used to be able to edit the GPOs that I've
assigned them FC rights to, but now they get an
error "Failed to save failed to save
ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
2C45E7CD7E5A}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf"

I've re-delegated the OU and deleted and reassigned rights
to Group A in AD Users and computers. The DCs seem to be
running fine, no errors, and no synchronization problems.

Any ideas what went wrong?

 

[Steven L Umbach]

Check that they still have write permissions to the GPO itself in
GPO/properties/security. Check to see if a domain admin can edit and save the policy.
If an admin can then it must be a permission issue, possibly to that policy folder in
the sysvol share. You can find the policy number [unique name] in it's
roperties. -- Steve

 

[Mary Allio]

I've checked the GPO/properties/security, and the
delegated users have Full Control. I checked the sysvol
folder for the appropriate GPO, and the delegated users
have Full Control. I have no problems as a domain admin
to edit the GPO. I'm not sure where else to look for
permission problems??

-----Original Message-----
Check that they still have write permissions to the GPO itself in
GPO/properties/security. Check to see if a domain admin can edit and save the policy.
If an admin can then it must be a permission issue,

possibly to that policy folder in

the sysvol share. You can find the policy number [unique name] in it's
roperties. -- Steve

I've delegated an OU with some other OUs contained with it
to group A with all delegated rights.

On the OUs there are GPOs assigned. I've assigned FC
rights in AD Users and Computers on those GPOs to group A.

Group A used to be able to edit the GPOs that I've
assigned them FC rights to, but now they get an
error "Failed to save failed to save
ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
2C45E7CD7E5A}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf"

I've re-delegated the OU and deleted and reassigned rights
to Group A in AD Users and computers. The DCs seem to be
running fine, no errors, and no synchronization problems.

Any ideas what went wrong?

.

 

[Darren Mar-Elia]

Mary-
A couple of things. First off, make sure you are checking permissions on the
instance of SYSVOL on the DC where those users are trying to edit the GPO.
This usually defaults to the PDC role-holder DC. Also, its probably a good
idea to check the equivalent permissions on the AD part of the GPO. This
will be found under system\policies\<GUID of GPO> in AD Users and Computers.
The permissions on the GUID-named container should be roughly equivalent to
those found in the SYSVOL part of the GPO (I say roughly because AD perms
and NTFS perms don't map 1-1 but you should see the same groups having
roughly the same permissions). Also, make sure the permissions in SYSVOL are
consistent all the way down the folder structure for that GPO. In other
words, make sure that there isn't some permission corruption at the level of
the \Machine\Microsoft\Windows NT\SecEdit\ folder that would be preventing
you from writing the inf file.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com

I've checked the GPO/properties/security, and the
delegated users have Full Control. I checked the sysvol
folder for the appropriate GPO, and the delegated users
have Full Control. I have no problems as a domain admin
to edit the GPO. I'm not sure where else to look for
permission problems??

-----Original Message-----
Check that they still have write permissions to the GPO itself in
GPO/properties/security. Check to see if a domain admin can edit and save the policy.
If an admin can then it must be a permission issue,

possibly to that policy folder in

the sysvol share. You can find the policy number [unique name] in it's
roperties. -- Steve

I've delegated an OU with some other OUs contained with it
to group A with all delegated rights.

On the OUs there are GPOs assigned. I've assigned FC
rights in AD Users and Computers on those GPOs to group A.

Group A used to be able to edit the GPOs that I've
assigned them FC rights to, but now they get an
error "Failed to save failed to save
ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
2C45E7CD7E5A}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf"

I've re-delegated the OU and deleted and reassigned rights
to Group A in AD Users and computers. The DCs seem to be
running fine, no errors, and no synchronization problems.

Any ideas what went wrong?

.