I read it that they can only link existing GPO's to OU's but cannot create/modify GPO's. I wonder if being a member of "Account Administrators" allows GPO modification? David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764
From: Christopher Bodnar [mailto:[email protected]] Sent: Friday, January 08, 2010 1:06 PM To: NT System Admin Issues Subject: RE: Delegating GPO administration In GPMC the group does show on the Delegation tab as having the Link GPOs permission. But when you look at an individual GPO, that group is not present on the delegation tab. Chris Bodnar, MCSE Sr. Systems Engineer Infrastructure Service Delivery Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ From: [email protected] [mailto:[email protected]] Sent: Friday, January 08, 2010 3:26 PM To: NT System Admin Issues Subject: Re: Delegating GPO administration Delegating Linking of GPOs The settings in a GPO are applied to users and computers by linking the GPO to a SOM (site, domain, or OU) that contains the user or computer objects, either as a direct child or indirectly through inheritance. The ability to link GPOs to a SOM is a permission that is specific to that SOM. At the lowest level, the permission equates to having read and write access to the gPLink and gPOptions attributes on the SOM. However, with GPMC, there should be no need to manage these attributes individually. GPMC abstracts this permission as a single permission called "Link GPOs." This permission also grants the ability to manage link order, block inheritance, and set the enforced attribute on GPO-links to this SOM. http://technet.microsoft.com/en-us/library/cc780852(WS.10).aspx So, if I'm understanding that, you have not actually given them permission to create or manage GPO's. On Fri, Jan 8, 2010 at 2:42 PM, Christopher Bodnar <[email protected]<mailto:[email protected]>> wrote: W2K3 FFL: I'm trying to delegate GPO administration to a group of users. I've run the Delegation of Control wizard and gave them the Manage Group Policy links selection. Should this give them the ability to read and edit existing GPOs? When you look at the security properties at the domain level it looks like that is giving them read/write to gPLink and gPOptions. But when I go to the GPMC and look at any individual GOP, on the delegation tab, I don't see the group I added. Any thoughts? Thanks, Chris Bodnar, MCSE Sr. Systems Engineer Infrastructure Service Delivery Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected]<mailto:[email protected]> Phone: 610-807-6459 Fax: 610-807-6003 ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
