Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Permissions Required to Create a GPO

0 views
Skip to first unread message

Jim

unread,
May 1, 2007, 10:55:37 AM5/1/07
to
What permissions are required to create a GPO anywhere in AD? If we
specically allow for eg full control on one particular OU to a group called
GPO admin - where users are simply domain users - the users can edit,
delete - do anything to any object in that OU - but they cannot create a
GPO.

What specific permission is required for this?

Regards,
Jim


Harj

unread,
May 1, 2007, 11:01:55 AM5/1/07
to

Hi,

Creating GPOs is a user right of the Group Policy Creator Owners
(GPCO) group by default but can be delegated to any group or user.
There are two methods to grant a group or user this right:

· Add the user or group to membership of the Group Policy Creator
Owners (GPCO) group. This was the only method available prior to GPMC.
· Explicitly grant the group or user permission to create GPOs. This
method is newly available with GPMC.

You can manage this permission using the Delegation tab on the Group
Policy Objects container for a given domain in GPMC. This tab shows
the groups that have permission to create GPOs in the domain,
including the GPCO group. From this tab, you can modify the membership
of existing groups with this permission, or add new groups.

All the information you need can be found at the following link

Delegation and policy-related permissions
http://207.46.196.114/windowsserver/en/library/53769684-2a36-46b2-8fd9-ae009b58306f1033.mspx?mfr=true

Good luck

Harj Singh
Power Your Active Directory Investment
www.specopssoft.com

Roger Abell [MVP]

unread,
May 1, 2007, 11:21:38 AM5/1/07
to
Pay attention to what info Harj has provided.

To clear up your thinking on this, notice that you make mistake in
"create a GPO anywhere in AD". GPOs are only created in one
way, one place in a domain; they can be triggered to get created
in the UI from many, but they are domain objects (not objects of
the OUs, contained in the OU); they get linked to OU, but their
creation/deletion is a domain-level event not an OU level one.

Roger

"Jim" <j...@nomail.com> wrote in message
news:HbOdnUOG8fV3yarb...@pipex.net...

Jim

unread,
May 1, 2007, 11:53:47 AM5/1/07
to
thanks harj

"Harj" <cisq...@gmail.com> wrote in message
news:1178031715.1...@o5g2000hsb.googlegroups.com...

0 new messages