Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Group policy Management delegation

3 views
Skip to first unread message

MCTNews

unread,
Dec 3, 2006, 2:23:09 PM12/3/06
to
Hi,
I would like to give a group (GPAdmins) permission to modify existing GPOs
owned by another account with out granting Domain Admin rights. How do I do
this?

I can put the group in Group Policy Creator Owners
I could assign permissions to GPAdmins on each existing GPO, but that would
not be inherited by new GPOs

Thanks,
Brian

Jack Doyle

unread,
Dec 4, 2006, 10:54:18 AM12/4/06
to
ScriptLogic offers a product called Active Administrator
(http://www.scriptlogic.com/products/ActiveAdmin/). One feature of AA
is the ability to edit your Group Policy objects in what we call an
Offline Repository. You can give junior administrators the ability to
edit Offline Group Policy Objects in the Repository and then you can
check them back in and make them active yourself.

You can run reports to compare the offline version of the GPO to the
online version of the GPO as well as run RSoP reports against offline
versions of the GPO to see how things may possibly change when that GPO
is implemented.

A free evaluation of that product is available at the link I posted.

Jack Doyle, Systems Engineer
ScriptLogic Corporation
www.scriptlogic.com

Darren Mar-Elia

unread,
Dec 4, 2006, 11:17:54 AM12/4/06
to
Jack-
No offense but I've been watching the posts you've been making on this list
and by and large they provide no real value in terms of solving Group Policy
problems but rather are predominantly pitches for your company's products,
which in most cases are unecessary to the problem and not helpful. For
example, it is a simple matter, in Brian's question, to accomplish what he
wants to do without spending 100s or thousands of dollars on a Group Policy
version control tool, and even if that were the right answer, why not get
the GPOVault product that Microsoft just acquired when they bought
DesktopStandard--which integrates seamlessly into GPMC and provides the same
offline-editing, version control capabilities? If you're going to post here,
try adding some real value above and beyond using the newsgroups to market
your company's stuff.

In any case, Brian, to your question, you can of course delegate permissions
on existing GPOs using GPMC. When focused on a GPO, choose the Delegation
tab and you can grant your GP Admins group modify rights there. Now, if you
want all new GPOs that get created to grant your GPAdmins group the ability
to modify them, you need to modify the defaultSecurityDescriptor attribute
on the GroupPolicyContainer class in the AD schema for your domain. This is
not as bad as it sounds and is described here:
http://support.microsoft.com/kb/321476/en-us

Let us know if you have problems--the SDDL string can be tricky to get
right.

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
Group Policy Management solutions at http://www.sdmsoftware.com


"Jack Doyle" <Jack....@scriptlogic.com> wrote in message
news:1165247658.4...@f1g2000cwa.googlegroups.com...

Brian

unread,
Dec 4, 2006, 9:03:00 PM12/4/06
to
Thanks, Darren!
Oddly enough, my question stems from wanting to keep the GPOVault service
account out of the Domain Admins group ;-)

"Darren Mar-Elia" <dmano...@microsoft.com> wrote in message
news:C7526882-49B7-42C7...@microsoft.com...

Brian

unread,
Dec 4, 2006, 9:26:52 PM12/4/06
to
So does this make sense?
For easy configuration the GPOVault Service needs to be a domain admin
If you prefer Least Privilege...
1. Add the Service Account to the Group Policy Creator Owners group
2. Grant the Service Account permissions to all existing GPOs. This could be
done in the GPMC or a script.
3. To give the Service Account permissions to all new GPOs that get created
directly in AD (outside of the Vault Service) follow this kb
a. http://support.microsoft.com/kb/321476/en-us

"Darren Mar-Elia" <dmano...@microsoft.com> wrote in message
news:C7526882-49B7-42C7...@microsoft.com...
>

Darren Mar-Elia

unread,
Dec 4, 2006, 10:10:54 PM12/4/06
to
Brian-
Yep, that all looks good.

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
Group Policy Management solutions at http://www.sdmsoftware.com


"Brian" <bor...@hotmail.com> wrote in message
news:CC1DFFAC-6EB5-41E6...@microsoft.com...

0 new messages