Justin, sorry for getting into this late and thanks for your kind words about Specops Gpudate. Yes, the schema is not modified as you already stated. Specops Gpupdate uses Display Specifiers, Display Specifiers are stored in the AD Configuration container and thus the need for root domain privileges to add or remove them. Display Specifiers are, for those of you that have not heard about them, a Microsoft technology used to extend AD related admin tools. If only "normal" MMC extension technology is used, then all the Shell related interfaces won't show. In the Active Directory Users and Computers case, this means for example that you would not be able to search for objects and operate on the result. Specops Gpupdate relies on integrated security, meaning that unless you have the permission to for example reboot the computer you will not be able to reboot it with Specops Gpupdate either, and unless you have the privileges to execute commands remotely and also have the permission to run refresh Group Policy you will not be able to do this with Specops Gpupdate. This means that if you want to delegate the task to remotely refresh Group Policy with Specops Gpupdate, then the users that should perform these tasks need to be delegated those permissions. Thanks, Thorbjörn Sjövold Special Operations Software www.specopssoft.com <http://www.specopssoft.com> thorbjorn.sjovold a t specopssoft.com Download our free tool for remote Gpupdate with graphical reporting, http://www.specopssoft.com/products/specopsgpupdate/ <http://www.specopssoft.com/products/specopsgpupdate/> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Salandra, Justin A. Sent: den 18 juni 2007 20:53 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Delagate Control According to their support forum the users would need to have local admin rights Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell jasalandra@xxxxxxxxxxx <mailto:jasalandra@xxxxxxxxxxx> ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, June 18, 2007 11:43 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Delagate Control The gpupdate tool does not extend the schema but rather adds "Display Specifiers" to the configuration naming context. I don't have it installed right now but I suspect it would be hard to permission that object away from a set of users. But you do need the package installed on every machine in order to make it work so that is one form of restriction. Thorbjorn from SpecOps can probably answer this better than anyone. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of bart.schillebeeks@xxxxxxxxxx Sent: Monday, June 18, 2007 8:13 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Delagate Control Hoy Justin, I thought once the schema was extended , you could suffice with installing the management console on their respective workstations. Vriendelijke groeten, Cordialement, Kind Regards, Schillebeeks Bart Active Directory Security Consultant Bart.schillebeeks@xxxxxxxxxx AD Internet Consulting BVBA "When once you have tasted flight, you will always walk with your eyes turned skyward, for there you have been and there you always will be." Leonardo da Vinci, 1452-1519 Disclaimer: Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.This Message is in no way legally binding and has to be viewed as a personal opinion of the sender. This message reflects in no way the views of FORTIS BANK and its associates and AD internet Consulting BVBA and its associates. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation. AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Salandra, Justin A. Sent: Monday, June 18, 2007 3:10 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Delagate Control I have installed the SpecOps GPUPDATE tool which is really kool and it works, however I would like to delegate this function to specific OU's for non domain admins. Any one have any idea how to do that since the schema does not get extended? http://www.specopssoft.com/products/specopsgpupdate/ Justin A. Salandra MCSE Windows 2000 & 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell jasalandra@xxxxxxxxxxx <mailto:jasalandra@xxxxxxxxxxx>