Discussion:
GPO Management Delegation
(too old to reply)
sevensixtwo187
2008-10-06 21:15:30 UTC
Permalink
Hello,
I have what I consider an interesting and frustrating problem. I have
attempted to grant some non domain admin users that are OU admins the ability
to create and link GPOs in the OU they administer. I have followed the
procedure outlined by Microsoft. I.E. I have added the Security Group they
belong to to the "Group Policy Creator/Owners group" I have also added them
to the delegation tab for Group Policy object creation in our domain and I
have granted them the right to link GPOs in GPMC. When you right click on
the OU they administer and attempt to Create & Link a new GPO, it is not
grayed out and it will ask for the name of the new GPO. But, once you name it
and click "OK", it will then give an "Access Denied" error. If this is
attempted on any other OU, the GPO actions are grayed out. I have
reasearched and double checked everything but it does not work and I cannot
find anything that sticks out as being wrong. It is almost as if the
permissions are "halfway" in place. Any thoughts, ideas or suggestions would
be greatly appreciated.

Thank you!
Marcin
2008-10-06 22:38:46 UTC
Permalink
Have you verified that the group you designated has Write permissions on the
Policies subfolder under SYSVOL?

hth
Marcin
Post by sevensixtwo187
Hello,
I have what I consider an interesting and frustrating problem. I have
attempted to grant some non domain admin users that are OU admins the ability
to create and link GPOs in the OU they administer. I have followed the
procedure outlined by Microsoft. I.E. I have added the Security Group they
belong to to the "Group Policy Creator/Owners group" I have also added them
to the delegation tab for Group Policy object creation in our domain and I
have granted them the right to link GPOs in GPMC. When you right click on
the OU they administer and attempt to Create & Link a new GPO, it is not
grayed out and it will ask for the name of the new GPO. But, once you name it
and click "OK", it will then give an "Access Denied" error. If this is
attempted on any other OU, the GPO actions are grayed out. I have
reasearched and double checked everything but it does not work and I cannot
find anything that sticks out as being wrong. It is almost as if the
permissions are "halfway" in place. Any thoughts, ideas or suggestions would
be greatly appreciated.
Thank you!
sevensixtwo187
2008-10-07 00:33:00 UTC
Permalink
Marcin,
No, I have not. Thank you for pointing that out. I had not thought about it
being an issue but, I could see how it could be. I will have a look in the
morning. I assume "Modify" permissions would be sufficient?
Post by Marcin
Have you verified that the group you designated has Write permissions on the
Policies subfolder under SYSVOL?
hth
Marcin
Post by sevensixtwo187
Hello,
I have what I consider an interesting and frustrating problem. I have
attempted to grant some non domain admin users that are OU admins the ability
to create and link GPOs in the OU they administer. I have followed the
procedure outlined by Microsoft. I.E. I have added the Security Group they
belong to to the "Group Policy Creator/Owners group" I have also added them
to the delegation tab for Group Policy object creation in our domain and I
have granted them the right to link GPOs in GPMC. When you right click on
the OU they administer and attempt to Create & Link a new GPO, it is not
grayed out and it will ask for the name of the new GPO. But, once you name it
and click "OK", it will then give an "Access Denied" error. If this is
attempted on any other OU, the GPO actions are grayed out. I have
reasearched and double checked everything but it does not work and I cannot
find anything that sticks out as being wrong. It is almost as if the
permissions are "halfway" in place. Any thoughts, ideas or suggestions would
be greatly appreciated.
Thank you!
Ace Fekay [Microsoft Certified Trainer]
2008-10-07 04:05:20 UTC
Permalink
Post by sevensixtwo187
Marcin,
No, I have not. Thank you for pointing that out. I had not thought
about it being an issue but, I could see how it could be. I will have
a look in the morning. I assume "Modify" permissions would be
sufficient?
The following is a little more info on GPO delegation, including the
permissions breakdown.

Delegating Administration of Group Policy:
http://technet.microsoft.com/en-us/library/cc781991.aspx


--
Ace

This posting is a personal opinion based on experience, and is provided
"AS-IS" with no warranties or guarantees and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.
Meinolf Weber
2008-10-07 07:44:22 UTC
Permalink
Hello sevensixtwo187,

Also have a look here:
http://technet.microsoft.com/en-us/library/cc737014.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by sevensixtwo187
Hello,
I have what I consider an interesting and frustrating problem. I have
attempted to grant some non domain admin users that are OU admins the ability
to create and link GPOs in the OU they administer. I have followed the
procedure outlined by Microsoft. I.E. I have added the Security Group they
belong to to the "Group Policy Creator/Owners group" I have also added them
to the delegation tab for Group Policy object creation in our domain and I
have granted them the right to link GPOs in GPMC. When you right click on
the OU they administer and attempt to Create & Link a new GPO, it is not
grayed out and it will ask for the name of the new GPO. But, once you name it
and click "OK", it will then give an "Access Denied" error. If this is
attempted on any other OU, the GPO actions are grayed out. I have
reasearched and double checked everything but it does not work and I cannot
find anything that sticks out as being wrong. It is almost as if the
permissions are "halfway" in place. Any thoughts, ideas or
suggestions would
be greatly appreciated.
Thank you!
sevensixtwo187
2008-10-07 13:35:01 UTC
Permalink
Everyone,

I really appreciate all of the responses! However, I have reviewed and
followed all of these documents. I checked the permissions on the Policy
folder in SYSVOL and the group in question does indeed have "Write"
permission on that folder.
Post by Meinolf Weber
Hello sevensixtwo187,
http://technet.microsoft.com/en-us/library/cc737014.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by sevensixtwo187
Hello,
I have what I consider an interesting and frustrating problem. I have
attempted to grant some non domain admin users that are OU admins the ability
to create and link GPOs in the OU they administer. I have followed the
procedure outlined by Microsoft. I.E. I have added the Security Group they
belong to to the "Group Policy Creator/Owners group" I have also added them
to the delegation tab for Group Policy object creation in our domain and I
have granted them the right to link GPOs in GPMC. When you right click on
the OU they administer and attempt to Create & Link a new GPO, it is not
grayed out and it will ask for the name of the new GPO. But, once you name it
and click "OK", it will then give an "Access Denied" error. If this is
attempted on any other OU, the GPO actions are grayed out. I have
reasearched and double checked everything but it does not work and I cannot
find anything that sticks out as being wrong. It is almost as if the
permissions are "halfway" in place. Any thoughts, ideas or
suggestions would
be greatly appreciated.
Thank you!
sevensixtwo187
2008-10-07 18:39:01 UTC
Permalink
I would also add that using a user that is a member of the group in question,
I can link an existing GPO no problem. The account just gets an "Access
Denied" when attempting to create a new GPO.
Post by sevensixtwo187
Everyone,
I really appreciate all of the responses! However, I have reviewed and
followed all of these documents. I checked the permissions on the Policy
folder in SYSVOL and the group in question does indeed have "Write"
permission on that folder.
Post by Meinolf Weber
Hello sevensixtwo187,
http://technet.microsoft.com/en-us/library/cc737014.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Post by sevensixtwo187
Hello,
I have what I consider an interesting and frustrating problem. I have
attempted to grant some non domain admin users that are OU admins the ability
to create and link GPOs in the OU they administer. I have followed the
procedure outlined by Microsoft. I.E. I have added the Security Group they
belong to to the "Group Policy Creator/Owners group" I have also added them
to the delegation tab for Group Policy object creation in our domain and I
have granted them the right to link GPOs in GPMC. When you right click on
the OU they administer and attempt to Create & Link a new GPO, it is not
grayed out and it will ask for the name of the new GPO. But, once you name it
and click "OK", it will then give an "Access Denied" error. If this is
attempted on any other OU, the GPO actions are grayed out. I have
reasearched and double checked everything but it does not work and I cannot
find anything that sticks out as being wrong. It is almost as if the
permissions are "halfway" in place. Any thoughts, ideas or suggestions would
be greatly appreciated.
Thank you!
Ace Fekay [Microsoft Certified Trainer]
2008-10-08 03:13:53 UTC
Permalink
Post by sevensixtwo187
I would also add that using a user that is a member of the group in
question, I can link an existing GPO no problem. The account just
gets an "Access Denied" when attempting to create a new GPO.
Are there any errors in the Event viewer?
May I assume the users are part of the domain that you are delegating the
ability to manage GPOs?
Are the users part of any group that has a deny anywhere?


Ace
sevensixtwo187
2008-10-08 13:12:01 UTC
Permalink
Ace,

I really appreciate your response. Yes, they are in the same domain. I
will check the other items you suggest.
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
I would also add that using a user that is a member of the group in
question, I can link an existing GPO no problem. The account just
gets an "Access Denied" when attempting to create a new GPO.
Are there any errors in the Event viewer?
May I assume the users are part of the domain that you are delegating the
ability to manage GPOs?
Are the users part of any group that has a deny anywhere?
Ace
sevensixtwo187
2008-10-08 16:28:13 UTC
Permalink
There are no event log errors. As a matter of fact, there are success events
in the DC security logs for GPO container creation. They are only a member of
"Domain Users", "GP Creator/Owners", and the group I created to hold them and
grant the rights to. No explicit denies that I can find.
Post by sevensixtwo187
Ace,
I really appreciate your response. Yes, they are in the same domain. I
will check the other items you suggest.
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
I would also add that using a user that is a member of the group in
question, I can link an existing GPO no problem. The account just
gets an "Access Denied" when attempting to create a new GPO.
Are there any errors in the Event viewer?
May I assume the users are part of the domain that you are delegating the
ability to manage GPOs?
Are the users part of any group that has a deny anywhere?
Ace
sevensixtwo187
2008-10-08 17:41:13 UTC
Permalink
Jorge,

I appreciate your response. However, as I have stated, I have indeed read
the articles concerned with this and I have followed them. This group is a
member of the "GP Creator/Owner" group AND they have been explicitly granted
the permission to link GPOs in the OU in question. Members of that group can
successfully link GPOs already in existance. They cannot creat new GPOs
---despite the fact that the group they are a member of has been granted that
right.

Thank you,
Hi
I suggest that you read the link posted by Ace. Particulary the section
"Delegating Creation of GPOs"
http://technet.microsoft.com/en-us/library/cc781991.aspx
The ability to create GPOs in a domain is a permission that is managed on a
per-domain basis. By default, only Domain Administrators, Enterprise
Administrators, Group Policy Creator Owners, and SYSTEM can create new Group
Policy objects. If the domain administrator wants a non-administrator or
non-administrative group to be able to create GPOs, that user or group can
be added to the Group Policy Creator Owners security group. Alternatively,
you can use the Delegation tab on the Group Policy Objects container in GPMC
to delegate creation of GPOs. When a non-administrator who is a member of
the Group Policy Creator Owners group creates a GPO, that user becomes the
creator owner of the GPO and can edit the GPO and modify permissions on the
GPO. However, members of the Group Policy Creator Owners group cannot link
GPOs to containers unless they have been separately delegated the right to
do so on a particular site, domain, or OU. Being a member of the Group
Policy Creator Owners group gives the non-administrator full control of only
those GPOs that the user creates. Group Policy Creator Owner members do not
have permissions for GPOs that they do not create.
--
I hope that the information above helps you.
Have a Nice day.
Jorge Silva
MCSE, MVP Directory Services
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by sevensixtwo187
There are no event log errors. As a matter of fact, there are success events
in the DC security logs for GPO container creation. They are only a member of
"Domain Users", "GP Creator/Owners", and the group I created to hold them and
grant the rights to. No explicit denies that I can find.
Post by sevensixtwo187
Ace,
I really appreciate your response. Yes, they are in the same domain. I
will check the other items you suggest.
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
I would also add that using a user that is a member of the group in
question, I can link an existing GPO no problem. The account just
gets an "Access Denied" when attempting to create a new GPO.
Are there any errors in the Event viewer?
May I assume the users are part of the domain that you are delegating the
ability to manage GPOs?
Are the users part of any group that has a deny anywhere?
Ace
Ace Fekay [Microsoft Certified Trainer]
2008-10-08 23:07:41 UTC
Permalink
Post by sevensixtwo187
Jorge,
I appreciate your response. However, as I have stated, I have indeed
read the articles concerned with this and I have followed them. This
group is a member of the "GP Creator/Owner" group AND they have been
explicitly granted the permission to link GPOs in the OU in question.
Members of that group can successfully link GPOs already in
existance. They cannot creat new GPOs ---despite the fact that the
group they are a member of has been granted that right.
Thank you,
That is an important passage that Jorge pointed out. Thanks, Jorge!

Curious, if you delegate the user directly (not by the group), does it work?
If so, what type of group did you create? What functional mode is the domain
and forest in? How many DCs and Sites?

Ace
sevensixtwo187
2008-10-09 12:57:01 UTC
Permalink
Delegating the user directly was my next thought on the matter. I will try
that and then report back with the results.
Global Security Group. Domain and Forest in native 2003 mode. 7 DCs. 5 Sites.

Thank you,
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
Jorge,
I appreciate your response. However, as I have stated, I have indeed
read the articles concerned with this and I have followed them. This
group is a member of the "GP Creator/Owner" group AND they have been
explicitly granted the permission to link GPOs in the OU in question.
Members of that group can successfully link GPOs already in
existance. They cannot creat new GPOs ---despite the fact that the
group they are a member of has been granted that right.
Thank you,
That is an important passage that Jorge pointed out. Thanks, Jorge!
Curious, if you delegate the user directly (not by the group), does it work?
If so, what type of group did you create? What functional mode is the domain
and forest in? How many DCs and Sites?
Ace
sevensixtwo187
2008-10-09 16:39:01 UTC
Permalink
I delegated the user directly and still no luck.
Post by sevensixtwo187
Delegating the user directly was my next thought on the matter. I will try
that and then report back with the results.
Global Security Group. Domain and Forest in native 2003 mode. 7 DCs. 5 Sites.
Thank you,
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
Jorge,
I appreciate your response. However, as I have stated, I have indeed
read the articles concerned with this and I have followed them. This
group is a member of the "GP Creator/Owner" group AND they have been
explicitly granted the permission to link GPOs in the OU in question.
Members of that group can successfully link GPOs already in
existance. They cannot creat new GPOs ---despite the fact that the
group they are a member of has been granted that right.
Thank you,
That is an important passage that Jorge pointed out. Thanks, Jorge!
Curious, if you delegate the user directly (not by the group), does it work?
If so, what type of group did you create? What functional mode is the domain
and forest in? How many DCs and Sites?
Ace
sevensixtwo187
2008-10-09 16:54:18 UTC
Permalink
I think I may have found an issue. The permissions on the Policies folder do
not inherit down to child objects under the Policies folder. Does anyone know
if "Allow inheritable permissions to propagate ....." should be checked on
the Policies folder ?
Post by sevensixtwo187
I delegated the user directly and still no luck.
Post by sevensixtwo187
Delegating the user directly was my next thought on the matter. I will try
that and then report back with the results.
Global Security Group. Domain and Forest in native 2003 mode. 7 DCs. 5 Sites.
Thank you,
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
Jorge,
I appreciate your response. However, as I have stated, I have indeed
read the articles concerned with this and I have followed them. This
group is a member of the "GP Creator/Owner" group AND they have been
explicitly granted the permission to link GPOs in the OU in question.
Members of that group can successfully link GPOs already in
existance. They cannot creat new GPOs ---despite the fact that the
group they are a member of has been granted that right.
Thank you,
That is an important passage that Jorge pointed out. Thanks, Jorge!
Curious, if you delegate the user directly (not by the group), does it work?
If so, what type of group did you create? What functional mode is the domain
and forest in? How many DCs and Sites?
Ace
Ace Fekay [Microsoft Certified Trainer]
2008-10-10 00:23:07 UTC
Permalink
Post by sevensixtwo187
I think I may have found an issue. The permissions on the Policies
folder do not inherit down to child objects under the Policies
folder. Does anyone know if "Allow inheritable permissions to
propagate ....." should be checked on the Policies folder ?
No, they shouldn't be. I just looked at a fresh install I was prepping for a
customer. Properties of the Policy folder, Security, advanced, which I
assume is what you are referring to.

Since you are in there, do you see that group? What is it's permissions
listed? In Advanced, highlight the group, click Edit. Is it set to just the
parent or child objects as well?

Ace
sevensixtwo187
2008-10-10 01:13:00 UTC
Permalink
It is just for the parent. Using a test account that should be able to create
GPOs but can't, I COULD create a folder in the Policies folder. This is
indeed perplexing.
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
I think I may have found an issue. The permissions on the Policies
folder do not inherit down to child objects under the Policies
folder. Does anyone know if "Allow inheritable permissions to
propagate ....." should be checked on the Policies folder ?
No, they shouldn't be. I just looked at a fresh install I was prepping for a
customer. Properties of the Policy folder, Security, advanced, which I
assume is what you are referring to.
Since you are in there, do you see that group? What is it's permissions
listed? In Advanced, highlight the group, click Edit. Is it set to just the
parent or child objects as well?
Ace
Ace Fekay [Microsoft Certified Trainer]
2008-10-11 03:25:49 UTC
Permalink
Post by sevensixtwo187
It is just for the parent. Using a test account that should be able
to create GPOs but can't, I COULD create a folder in the Policies
folder. This is indeed perplexing.
Not necessarily. Matter of fact, it makes sense because domain (not local)
GPOs have two parts, the Group Policy Container that's in Active Directory,
and the Group Policy Templates, that you see in the Sysvol folder under the
Policies folder. So there are actually two sets of permissions that govern
what can be done with a GPO.

Also, if you think about it, when you use the delegation wizard, there's
certain nuances to be dealt with, such as inheritance. One example is if you
delegate to a specifi OU, it will not apply to child OUs. You would have to
delegate the child as well if you want them to have that ability. But that
doesn't appear to be the issue here.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23601858.html

What tools are they using to ceate the GPO? GPMC or in the ADUC? Or did you
simply create a separate MMC for them and copied over the necessary ADUC
files (adprop.dll and dsadmin.dll) and the MMC file to their desktop or
Start menu? If so, do they have local desktop admin rights? Have the users
been blocked in a Rights somewhere, possibly part of another group,
concerning accessing a DC remotely?

Ace
sevensixtwo187
2008-10-13 21:26:27 UTC
Permalink
Ace,
GPMC has been used. They are not a member of any groups that would prohibit
them.
They do not have the right to logon to a DC. BUT, if we were willing to
allow that, then we could just make them all Domain Admins.
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
It is just for the parent. Using a test account that should be able
to create GPOs but can't, I COULD create a folder in the Policies
folder. This is indeed perplexing.
Not necessarily. Matter of fact, it makes sense because domain (not local)
GPOs have two parts, the Group Policy Container that's in Active Directory,
and the Group Policy Templates, that you see in the Sysvol folder under the
Policies folder. So there are actually two sets of permissions that govern
what can be done with a GPO.
Also, if you think about it, when you use the delegation wizard, there's
certain nuances to be dealt with, such as inheritance. One example is if you
delegate to a specifi OU, it will not apply to child OUs. You would have to
delegate the child as well if you want them to have that ability. But that
doesn't appear to be the issue here.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23601858.html
What tools are they using to ceate the GPO? GPMC or in the ADUC? Or did you
simply create a separate MMC for them and copied over the necessary ADUC
files (adprop.dll and dsadmin.dll) and the MMC file to their desktop or
Start menu? If so, do they have local desktop admin rights? Have the users
been blocked in a Rights somewhere, possibly part of another group,
concerning accessing a DC remotely?
Ace
Ace Fekay [Microsoft Certified Trainer]
2008-10-15 03:50:35 UTC
Permalink
Post by sevensixtwo187
Ace,
GPMC has been used. They are not a member of any groups that would
prohibit them.
They do not have the right to logon to a DC. BUT, if we were willing
to allow that, then we could just make them all Domain Admins.
Not necessarily. If you gave them the Rights to logon, but not being a
Domain ADmin, they can't perform Domain Admin tasks, just the tasks they
were delegated.
sevensixtwo187
2008-10-16 14:05:01 UTC
Permalink
So, are you saying they need to be granted "Logon Locally" to the DCs?
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
Ace,
GPMC has been used. They are not a member of any groups that would
prohibit them.
They do not have the right to logon to a DC. BUT, if we were willing
to allow that, then we could just make them all Domain Admins.
Not necessarily. If you gave them the Rights to logon, but not being a
Domain ADmin, they can't perform Domain Admin tasks, just the tasks they
were delegated.
Ace Fekay [Microsoft Certified Trainer]
2008-10-17 03:19:37 UTC
Permalink
Post by sevensixtwo187
So, are you saying they need to be granted "Logon Locally" to the DCs?
At this point I'm not sure. You followed the guidelines without luck, so I
believe something else is going on. But go ahead, give it a shot please, and
let me know if it worked.
sevensixtwo187
2008-10-17 15:59:00 UTC
Permalink
Ace,

I will give it a try and let you know.
Post by Ace Fekay [Microsoft Certified Trainer]
Post by sevensixtwo187
So, are you saying they need to be granted "Logon Locally" to the DCs?
At this point I'm not sure. You followed the guidelines without luck, so I
believe something else is going on. But go ahead, give it a shot please, and
let me know if it worked.
Ace Fekay [Microsoft Certified Trainer]
2008-10-18 14:58:04 UTC
Permalink
Post by sevensixtwo187
Ace,
I will give it a try and let you know.
Sounds good!

Continue reading on narkive:
Loading...