Delegating Linking of GPOs The settings in a GPO are applied to users and computers by linking the GPO to a SOM (site, domain, or OU) that contains the user or computer objects, either as a direct child or indirectly through inheritance. The ability to link GPOs to a SOM is a permission that is specific to that SOM. At the lowest level, the permission equates to having read and write access to the gPLink and gPOptions attributes on the SOM. However, with GPMC, there should be no need to manage these attributes individually. GPMC abstracts this permission as a single permission called “Link GPOs.” This permission also grants the ability to manage link order, block inheritance, and set the enforced attribute on GPO-links to this SOM. http://technet.microsoft.com/en-us/library/cc780852(WS.10).aspx
So, if I'm understanding that, you have not actually given them permission to create or manage GPO's. On Fri, Jan 8, 2010 at 2:42 PM, Christopher Bodnar < [email protected]> wrote: > W2K3 FFL: > > > > I’m trying to delegate GPO administration to a group of users. I’ve run the > Delegation of Control wizard and gave them the Manage Group Policy links > selection. Should this give them the ability to read and edit existing GPOs? > > > > > When you look at the security properties at the domain level it looks like > that is giving them read/write to gPLink and gPOptions. But when I go to the > GPMC and look at any individual GOP, on the delegation tab, I don’t see the > group I added. > > > > Any thoughts? > > > > Thanks, > > > > > > Chris Bodnar, MCSE > Sr. Systems Engineer > Infrastructure Service Delivery > Distributed Systems Service Delivery - Intel Services > Guardian Life Insurance Company of America > Email: [email protected] > Phone: 610-807-6459 > Fax: 610-807-6003 > > > > > > > > ------------------------------ > > *This message, and any attachments to it, may contain information that is > privileged, confidential, and exempt from disclosure under applicable law. > If the reader of this message is not the intended recipient, you are > notified that any use, dissemination, distribution, copying, or > communication of this message is strictly prohibited. If you have received > this message in error, please notify the sender immediately by return e-mail > and delete the message and any attachments. Thank you. * > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
