I agree with Neil here with just a few other suggestions. The ability to create GPOs in and of itself is not as interesting as controlling who can link the GPO to the various AD containers, as Neil indicates below. So managing delegation of the gpLink and gpOptions attributes on site, domain and OU containers is important. But if you really want to delegate creation and editing of GPOs, you have to deal with the problem outlined below, which is that the rights to create a GPO are different and don't automatically flow into rights to edit a GPO for a different user or group. One option here is to have a documented process where your creators create the GPO and then use GPMC to delegate edit rights to another user/group. Another option is to modify the defaultSecurityDescriptor attribute on the groupPolicyContainer class object to modify the default groups that can edit GPOs when they're created. In that way you can have a group that can create GPOs and another, perhaps overlapping larger group that can edit them. Problem with making such a change is that all subsequent GPOs created in the domain will have that new group ACE on them, which may or may not be desirable.
Darren -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, March 09, 2006 3:52 PM To: [email protected] Subject: RE: [ActiveDir] group policy creator owners When created, a new GPO will *not* inherit rights from the parent (if we examine SYSVOL perms, for example). You may assign user1 and user2 the rights to create GPOs in the domain (using GPMC) but each user will need to grant other users the right to edit 'their' GPO. FWIW, I think this is a bad practice and a recipe for disaster. I only ever allow DAs the rights to create and edit (and link) GPOs. How do you stop user1 or 2 from creating a GPO, editing and linking it and thus starting a DoS on all users due to a badly configured GPO? Do you control where they can link GPOs? Why not have the DAs create and link, and allow user 1 and 2 to edit (only) "their" GPOs? You appear to have relinquished all control of your GPOs to non-admins :( neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: 09 March 2006 13:46 To: [email protected] Subject: [ActiveDir] group policy creator owners Dear all, I am looking to some information with respect to Group policy object delegation. the requirement is to allow additional users to create new GPO's without 'Domain Admins' membership. Seems the way to go is to add the user accounts to the 'Group policy creator owners' group. this allows them to create GPO's and have the necessary permissions to edit (and presumably delete) GPO's that they own by way of there creating them. how can this be implemented to support a team environment whereby say USER2 in a group would want to be able to edit a GPO created by USER1 can we add a group to the 'Group policy creator owners' group that allows the members of that group to 'share' the permissions on GPO's that members of that group create ? if not it seems the only supported mechanism is for USER1 who creates the GPO to assign permissions on the GPO that they create - hardly ideal ? Thanks GT List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
