Delegation of rights not providing rights to edit GPO's

S

Sabir Ahmedi

Hi all,
I delegated rights to an OUand its child OU's to a specific group. But the
user in that group is uanble to edit the GPO's inthe OU. I then found
another palce to assign rights to edit the OU GPO's.

Is this by design or am I doing something wrong? Its just that I feel this
should have been taken care of by the delgation.

Thanks,

-sabir.
 
M

Mike Aubert

This is normal - the GPO is not stored in the OU - only linked. A GPO is
made up of Active Directory objects located in domain.name/System/Policies
as well as files and folders in SYSVOL. In order to edit/create GPOs you
need to have permissions to these objects/folders.

Have a look at the notes on this page (it's from XP's documentation but is
applicable to Windows 2000 Server - I'm still hunting for the 2000 link)
about Group Policy Creator Owners:

http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/del_create.asp

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
 
S

Sabir Ahmedi

Thanks Mike,
I did that but it did not work. That group does not have rights to edit the
GPO's by default.

Thanks for the suggestion though, any others,

Sabir.
 
M

Mike Aubert

Correct - that group only has the right to create GPOs (as indicated in that
link I posted). The creator of a GPO is given rights to edit the GPO. So, if
a user that is a member of Group Policy Creator Owners creates a GPO, the
user will then have permissions to edit the GPO (but only that user - not
the whole group).

If you need to give someone permission to an existing GPO you have to give
them permission on the domain.name/System/Policies/{GUID_of_GPO} container
and SYSVOL\Policies\{GUID_of_GPO}folder.

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
 
M

Mike Aubert

Duh, brain cramp...

Just to be clear, to set the permissions on an existing GPO, select the GPO
from the list of linked GPOs and then click properties. On the security tab
give the user/group the Full Control (or just Write if you don't want them
to be able to change security permissions) permission and then click OK.
This will set the permissions on the
domain.name/System/Policies/{GUID_of_GPO} container and
SYSVOL\Policies\{GUID_of_GPO}folder for you.

Have a look at this KB article for more info:

HOW TO: Delegate Authority for Editing a Group Policy Object (GPO)
http://support.microsoft.com/?id=221577

Mike

------------------------------------------------------------------
Mike Aubert
MCSE, MCSD, MCDBA
(e-mail address removed)

Note the "news2" in my email address is temporary and may be changed in the
future, remove it to email me at my Permanente address.
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Adding site admins to OU's 2
Delegation of rights 4
GPO not applying to child OU's 0
Delegation Rights ? 1
AD Design Help..needed.. 3
Default Domain GP Locked 1
Default Domain GP Locked 2
Delegate full rights to a DC? 2

Top