[gptalk] Re: Group Policy delegation

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 27 Mar 2007 06:56:56 -0700

Tony-

That is pretty complete, I would say. I don't think you've missed much of
anything. In #3, the ability to link also may include rights on the
gpOptions attribute, which controls the Block Inheritance flag. There is
also the ability to delegate creation of WMI Filters in the domain. That can
be done via GPMC console-not sure if there's a scripting interface for it.
And, then the linking of a filter to a GPO is wrapped up in your GPO
delegation so that is covered below.

 

Outside of that, nothing else comes to mind.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tony Murray [HIQ]
Sent: Monday, March 26, 2007 3:25 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy delegation

 

Hi all

 

I'm just in the process of planning Group Policy delegation and could
benefit from your advice about the approach.  I want to delegate
administration of Group Policy to the "Group Policy Admins" role (actually
an AD group).  I may also want more granular delegation in the future.

 

As I see it there are three areas where delegation is relevant.

 

1.            Delegated permission to create GPOs.

2.            Delegation permissions on individual GPOs.

3.            Delegated Group Policy-related permissions on SOMs (OUs,
Domains and Sites).

 

Taking each of these in turn..

 

1.            Delegated permission to create GPOs.

 

This appears to be relatively straightforward.  I simply modify the
Delegation tab on the Group Policy Objects container within the GPMC.
Alternatively I can use the SetGPOCreationPermissions.wsf script sample.

 

2.            Delegation permissions on individual GPOs.

 

This is split into two parts:  new GPOs and existing GPOs.

 

a)      New GPOs.   I can modify the default security descriptor for
groupPolicyContainer objects by following the guidelines in
http://support.microsoft.com/default.aspx?scid=kb;en-us;321476.  

b)      Existing GPOs.  I can modify the permissions for all GPOs within a
domain by using the GrantPermissionOnAllGPOs.wsf script sample.

 

3.            Delegated Group Policy-related permissions on SOMs.

 

This involves assigning the "Group Policy Admins" group the ability to:

 

.             Link GPOs to a given site, domain or OU.

.             Perform Group Policy Modelling analysis on a given domain or
OU (but not on a site).

.             Read Group Policy Results data for objects within a given
domain or OU (but not a site).

 

I can use the SetSOMPermissions.wsf to do this.

 

That's as far as I have got.  Before I started setting this up in the lab
and testing I thought I would check here to see if I have the approach
right.

 

Anything I should be doing differently?  Any shortcuts I am missing?  Better
ways of setting up the delegation?

 

Tony

Directory Services MVP (and Group Policy Muppet).






  _____  



 

This email or attachment(s) may contain confidential or legally privileged
information intended for the sole use of the addressee(s). Any use,
redistribution, disclosure, or reproduction of this message, except as
intended, is prohibited. If you received this email in error, please notify
the sender and remove all copies of the message, including any attachments.
Any views or opinions expressed in this email (unless otherwise stated) may
not represent those of HealthIntelligence (HIQ Ltd). 

 <http://www.healthintelligence.org.nz> http://www.healthintelligence.org.nz


(1H_S1) 

 
No Viruses were detected in this message.





  _____  



HealthIntelligence <http://www.healthintelligence.org.nz>  eMail Filter
Service

Other related posts: