Neil- You can modify the defaultSecurityDescriptor attribute in the schema to change which groups are automatically granted rights on a newly created GPO. Its described here:
http://support.microsoft.com/kb/321476/en-us Darren Darren Mar-Elia CTO & Founder www.sdmsoftware.com <http://www.sdmsoftware.com/> [EMAIL PROTECTED] v) 415-670-9302 f) 415-532-2655 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, December 04, 2006 1:23 AM To: [email protected] Subject: RE: [ActiveDir] Granting rights to 'Manage GPOs' I'd prefer to grant the service the rights it *needs* rather than carte blanche Domain Admins rights. However, as new GPOs are created, only the default (Schema defined?) ACLs are applied, which includes DAs but will *not* include my service account. Back to the drawing board... neil _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves Sent: 04 December 2006 04:38 To: [email protected] Subject: Re: [ActiveDir] Granting rights to 'Manage GPOs' You might want to set the account to have non-interactive rights, since I'm assuming that it runs a service that actually handles all the changes - then grant it membership within the Domain Admins group - that would fix the issue once and for all, unless you've changed Domain Admins to not have the ability to edit GPOs, though it's automatically granted every time a new GPO is created, regardless of what permissions were before. On 11/25/06, Darren Mar-Elia <[EMAIL PROTECTED]> wrote: Neil- Assuming the setgpocreationpermissions script didn't fail in some way, I think the next step would be to check the perms on the various objects that should get this right. Namely, the service account you're granting access to should have the Create GroupPolicyContainer right over the cn=policies,cn=system container in AD and, similarly on the SYSVOL Policies folder, it should have Change rights over that container. Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com <http://www.gpoguy.com/> -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide <http://www.amazon.com/gp/product/0735622175/qid=1122367169/sr=8-1/ref=pd_bb s_1/104-1133146-9411929?v=glance&n=283155> , the definitive resource for Group Policy information. Group Policy Management solutions at SDM Software <http://www.sdmsoftware.com/> From: [EMAIL PROTECTED] [mailto: <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 24, 2006 6:57 AM To: [email protected] Subject: [ActiveDir] Granting rights to 'Manage GPOs' I am attempting to assign rights to a service account [sys-zzz], used by a Group Policy Management tool (3rd party) so that the service account has the necessary rights to 'manage' all GPOs in the domain. Aside from app specific rights, I have assigned the following rights using GPMC scripts [scripts shown below]: 1. Create/edit GPO links at the root of the domain and all child containers cscript "%programfiles%\gpmc\scripts\SetSOMPermissions.wsf" xxx.yyy xxx\sys-zzz /Permission:linkgpos /Inherit /Domain:xxx.yyy 2. Create new GPOs in the domain cscript "%programfiles%\gpmc\scripts\SetGPOCreationPermissions.wsf" xxx\sys-zzz /Domain:xxx.yyy 3. Edit, delete and mod security rights to all existing GPOs in the domain cscript "%programfiles%\gpmc\scripts\GrantPermissionOnAllGPOs.wsf" xxx\sys-zzz /Permission:fulledit /Domain:xxx.yyy To cut a long story short, step 2 does not appear to grant the required 'create' right [GP mgmt tool complains of an "access denied" issue]. However, if I manually (using GPMC) add the service account to the list of objects permitted to create GPOs in the domain [instead of using the script in step 2], then the GP Management app functions fine. Has anyone encountered a similar issues? Are there newer version of the GPMC scripts? [I have GPMC with SP1] Just to add to the strangeness of this issue, if I execute the same scripts above but against a different domain (same service account) the 3rd party app functions fine in that other domain :/ Any comments? Thanks, neil PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.
