thanks both for views on this which make a whole load of sense i think how i am to proceed is to leave the 'domain admins' with the task of GPO creation and delegation to appropriate groups of people.
it would be my view that you should be able to trust the people to whom authority for a GPO is delegated to manage the point at which it becomes 'active' by way of the linking to a particular OU, and as such delegate the GpLINK. quick question if i may though ... the delegation of gplink is available from the 'delegate control wizards' (Windows 2000 here sorry !) i assume this is sufficient for the delegate to link a GPO to the OU - what does the delegation of GPOPTIONS allow additionally ?? GT > I agree with Neil here with just a few other suggestions. The ability to > create GPOs in and of itself is not as interesting as controlling who > can link the GPO to the various AD containers, as Neil indicates below. > So managing delegation of the gpLink and gpOptions attributes on site, > domain and OU containers is important. But if you really want to > delegate creation and editing of GPOs, you have to deal with the problem > outlined below, which is that the rights to create a GPO are different > and don't automatically flow into rights to edit a GPO for a different > user or group. One option here is to have a documented process where > your creators create the GPO and then use GPMC to delegate edit rights > to another user/group. Another option is to modify the > defaultSecurityDescriptor attribute on the groupPolicyContainer class > object to modify the default groups that can edit GPOs when they're > created. In that way you can have a group that can create GPOs and > another, perhaps overlapping larger group that can edit them. Problem > with making such a change is that all subsequent GPOs created in the > domain will have that new group ACE on them, which may or may not be > desirable. > > Darren > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Thursday, March 09, 2006 3:52 PM > To: [email protected] > Subject: RE: [ActiveDir] group policy creator owners > > When created, a new GPO will *not* inherit rights from the parent (if we > examine SYSVOL perms, for example). > > You may assign user1 and user2 the rights to create GPOs in the domain > (using GPMC) but each user will need to grant other users the right to > edit 'their' GPO. > > FWIW, I think this is a bad practice and a recipe for disaster. I only > ever allow DAs the rights to create and edit (and link) GPOs. How do you > stop user1 or 2 from creating a GPO, editing and linking it and thus > starting a DoS on all users due to a badly configured GPO? Do you > control where they can link GPOs? Why not have the DAs create and link, > and allow user 1 and 2 to edit (only) "their" GPOs? You appear to have > relinquished all control of your GPOs to non-admins :( > > neil > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner > Sent: 09 March 2006 13:46 > To: [email protected] > Subject: [ActiveDir] group policy creator owners > > Dear all, I am looking to some information with respect to Group policy > object delegation. > > the requirement is to allow additional users to create new GPO's without > 'Domain Admins' membership. > > Seems the way to go is to add the user accounts to the 'Group policy > creator owners' > group. > > this allows them to create GPO's and have the necessary permissions to > edit (and presumably delete) GPO's that they own by way of there > creating them. > > how can this be implemented to support a team environment whereby say > USER2 in a group would want to be able to edit a GPO created by USER1 > > can we add a group to the 'Group policy creator owners' group that > allows the members of that group to 'share' the permissions on GPO's > that members of that group create ? > > if not it seems the only supported mechanism is for USER1 who creates > the GPO to assign permissions on the GPO that they create - hardly > ideal ? > > Thanks > > GT > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > PLEASE READ: The information contained in this email is confidential and > intended for the named recipient(s) only. If you are not an intended > recipient of this email please notify the sender immediately and delete > your copy from your system. You must not copy, distribute or take any > further action in reliance on it. Email is not a secure method of > communication and Nomura International plc ('NIplc') will not, to the > extent permitted by law, accept responsibility or liability for (a) the > accuracy or completeness of, or (b) the presence of any virus, worm or > similar malicious or disabling code in, this message or any > attachment(s) to it. If verification of this email is sought then please > request a hard copy. Unless otherwise stated this email: (1) is not, and > should not be treated or relied upon as, investment research; (2) > contains views or opinions that are solely those of the author and do > not necessarily represent those of NIplc; (3) is intended for > informational purposes only and is not a recommendation, solicitation or > offer to buy or sell securities or related financial instruments. NIplc > does not provide investment services to private customers. Authorised > and regulated by the Financial Services Authority. Registered in > England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St > Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of > companies. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
