| Author | Messages | |
thacker
Posts:4
 | | 08/25/2010 1:56 PM |
| Hi all,
I've got a strange problem here... I've delegated rights to the Create
groupPolicyContainer objects but when I try to actually create a GPO the
Create a GPO in this domain, and link it here... it's ghosted out.
The user is a member of LB-GPO Managers security group which has rights
delegated at the OU level.
NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
Account : YORKU\LB-GPO Managers
TransitiveAccount : YORKU\LB-GPO Managers
AccountName : YORKU\LB-GPO Managers
AccessControlType : Allow
Rights : ReadProperty, WriteProperty
RightsDisplay : Read/Write all properties
Source : NotInherited
ExtendedRight :
ValidatedWrite :
Property :
PropertySet :
ApplyTo : ThisObjectAndImmediateChildObjects
ApplyToDisplay : This object and immediate child objects
ApplyToType :
ChildType :
NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
Account : YORKU\LB-GPO Managers
TransitiveAccount : YORKU\LB-GPO Managers
AccountName : YORKU\LB-GPO Managers
AccessControlType : Allow
Rights : CreateChild, DeleteChild
RightsDisplay : Create/Delete groupPolicyContainer
Source : NotInherited
ExtendedRight :
ValidatedWrite :
Property :
PropertySet :
ApplyTo : All
ApplyToDisplay : This object and all child objects
ApplyToType :
ChildType :
CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=yorku,DC=yorku,DC=ca
NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
Account : YORKU\LB-GPO Managers
TransitiveAccount : YORKU\LB-GPO Managers
AccountName : YORKU\LB-GPO Managers
AccessControlType : Allow
Rights : ExtendedRight
RightsDisplay : Generate Resultant Set of Policy (Logging)
Source : NotInherited
ExtendedRight :
CN=Generate-RSoP-Logging,CN=Extended-Rights,CN=Configuration,DC=yorku,DC=yorku,DC=ca
ValidatedWrite :
Property :
PropertySet :
ApplyTo : All
ApplyToDisplay : This object and all child objects
ApplyToType :
ChildType :
NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
Account : YORKU\LB-GPO Managers
TransitiveAccount : YORKU\LB-GPO Managers
AccountName : YORKU\LB-GPO Managers
AccessControlType : Allow
Rights : ExtendedRight
RightsDisplay : Generate Resultant Set of Policy (Planning)
Source : NotInherited
ExtendedRight :
CN=Generate-RSoP-Planning,CN=Extended-Rights,CN=Configuration,DC=yorku,DC=yorku,DC=ca
ValidatedWrite :
Property :
PropertySet :
ApplyTo : All
ApplyToDisplay : This object and all child objects
ApplyToType :
ChildType :
In the Effective Permission for the user it looks like they have the
rights to Create GPO's
Creation of GPO's is ghosted!!!
Am I missing something here???
Thanks,
Troy
| | | |
| thacker
Posts:4
| | 08/25/2010 3:21 PM |
| I delegated rights to a security group called GPO managers at the OU.
Granting gPOptions & gPlinks, etc.
On 25/08/2010 9:27 AM, Darren Mar-Elia wrote:
>
> Troy-
>
> How did you delegate rights to create GPOs?
>
> Darren
>
> *From:* xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx] *On Behalf Of *Troy Hacker
> *Sent:* Wednesday, August 25, 2010 5:16 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Delegation of Create Group Policies Objects
>
> Hi all,
>
> I've got a strange problem here... I've delegated rights to the Create
> groupPolicyContainer objects but when I try to actually create a GPO
> the Create a GPO in this domain, and link it here... it's ghosted out.
>
> The user is a member of LB-GPO Managers security group which has
> rights delegated at the OU level.
>
> NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
> TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
> Account : YORKU\LB-GPO Managers
> TransitiveAccount : YORKU\LB-GPO Managers
> AccountName : YORKU\LB-GPO Managers
> AccessControlType : Allow
> Rights : ReadProperty, WriteProperty
> RightsDisplay : Read/Write all properties
> Source : NotInherited
> ExtendedRight :
> ValidatedWrite :
> Property :
> PropertySet :
> ApplyTo : ThisObjectAndImmediateChildObjects
> ApplyToDisplay : This object and immediate child objects
> ApplyToType :
> ChildType :
>
> NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
> TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
> Account : YORKU\LB-GPO Managers
> TransitiveAccount : YORKU\LB-GPO Managers
> AccountName : YORKU\LB-GPO Managers
> AccessControlType : Allow
> Rights : CreateChild, DeleteChild
> RightsDisplay : Create/Delete groupPolicyContainer
> Source : NotInherited
> ExtendedRight :
> ValidatedWrite :
> Property :
> PropertySet :
> ApplyTo : All
> ApplyToDisplay : This object and all child objects
> ApplyToType :
> ChildType :
> CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=yorku,DC=yorku,DC=ca
>
> NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
> TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
> Account : YORKU\LB-GPO Managers
> TransitiveAccount : YORKU\LB-GPO Managers
> AccountName : YORKU\LB-GPO Managers
> AccessControlType : Allow
> Rights : ExtendedRight
> RightsDisplay : Generate Resultant Set of Policy (Logging)
> Source : NotInherited
> ExtendedRight :
> CN=Generate-RSoP-Logging,CN=Extended-Rights,CN=Configuration,DC=yorku,DC=yorku,DC=ca
> ValidatedWrite :
> Property :
> PropertySet :
> ApplyTo : All
> ApplyToDisplay : This object and all child objects
> ApplyToType :
> ChildType :
>
> NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
> TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
> Account : YORKU\LB-GPO Managers
> TransitiveAccount : YORKU\LB-GPO Managers
> AccountName : YORKU\LB-GPO Managers
> AccessControlType : Allow
> Rights : ExtendedRight
> RightsDisplay : Generate Resultant Set of Policy (Planning)
> Source : NotInherited
> ExtendedRight :
> CN=Generate-RSoP-Planning,CN=Extended-Rights,CN=Configuration,DC=yorku,DC=yorku,DC=ca
> ValidatedWrite :
> Property :
> PropertySet :
> ApplyTo : All
> ApplyToDisplay : This object and all child objects
> ApplyToType :
> ChildType :
>
> In the Effective Permission for the user it looks like they have the
> rights to Create GPO's
>
>
>
> Creation of GPO's is ghosted!!!
>
>
> Am I missing something here???
>
> Thanks,
> Troy
>
| | | |
| thacker
Posts:4
| | 08/26/2010 1:48 PM |
| Thanks,
I found the problem... The GPO-Managers group was missing from the Group
policy creator owners group.
Both environments where built with a PowerShell script that took input
from a CSV file. The line for the GPO-Managers got deleted by mistake
when we changed some of the groups between the verification environment
and the production environment.
Thanks for the help!
This is a great support list!!
Cheers!
Troy
On 25/08/2010 7:00 PM, Darragh O'Shaughnessy wrote:
>
> Delegating the rights to create GPOS and link them to an OU are
> mutually exclusive I think troy. A gpo can be created in the domain
> and linked to multiple OU's sites or none so this requires certain
> domain level permissions. Have you added the account/group to the
> 'Group policy creator owners' group? By default it should have perms
> to create GPOS.
>
> Do you use GPMC? Its should show use these permissions on the
> delegation tab at the domain root
>
> Regards,
>
> Darragh O'Shaughnessy
>
> *From:* xxxxxxxxxxxxxxxx
> [mailto:xxxxxxxxxxxxxxxx] *On Behalf Of *Troy Hacker
> *Sent:* 25 August 2010 14:46
> *To:* xxxxxxxxxxxxxxxx
> *Cc:* Darren Mar-Elia
> *Subject:* Re: [gptalk] Delegation of Create Group Policies Objects
>
> Oh, I should point out we have two environments. One is a verification
> environment that we test everything in first and then put it in the
> production environment. The thing is this works in our verification
> environment, but not in the production. I can't find anything
> different between the two.
>
> We also used Powershell script to delegate the rights so it should be
> the same in both environments.
>
> On 25/08/2010 9:27 AM, Darren Mar-Elia wrote:
>
> Troy-
>
> How did you delegate rights to create GPOs?
>
> Darren
>
> *From:* xxxxxxxxxxxxxxxx
> <mailto:xxxxxxxxxxxxxxxx>
> [mailto:xxxxxxxxxxxxxxxx] *On Behalf Of *Troy Hacker
> *Sent:* Wednesday, August 25, 2010 5:16 AM
> *To:* xxxxxxxxxxxxxxxx <mailto:xxxxxxxxxxxxxxxx>
> *Subject:* [gptalk] Delegation of Create Group Policies Objects
>
> Hi all,
>
> I've got a strange problem here... I've delegated rights to the Create
> groupPolicyContainer objects but when I try to actually create a GPO
> the Create a GPO in this domain, and link it here... it's ghosted out.
>
> The user is a member of LB-GPO Managers security group which has
> rights delegated at the OU level.
>
> NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
> TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
> Account : YORKU\LB-GPO Managers
> TransitiveAccount : YORKU\LB-GPO Managers
> AccountName : YORKU\LB-GPO Managers
> AccessControlType : Allow
> Rights : ReadProperty, WriteProperty
> RightsDisplay : Read/Write all properties
> Source : NotInherited
> ExtendedRight :
> ValidatedWrite :
> Property :
> PropertySet :
> ApplyTo : ThisObjectAndImmediateChildObjects
> ApplyToDisplay : This object and immediate child objects
> ApplyToType :
> ChildType :
>
> NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
> TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
> Account : YORKU\LB-GPO Managers
> TransitiveAccount : YORKU\LB-GPO Managers
> AccountName : YORKU\LB-GPO Managers
> AccessControlType : Allow
> Rights : CreateChild, DeleteChild
> RightsDisplay : Create/Delete groupPolicyContainer
> Source : NotInherited
> ExtendedRight :
> ValidatedWrite :
> Property :
> PropertySet :
> ApplyTo : All
> ApplyToDisplay : This object and all child objects
> ApplyToType :
> ChildType :
> CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=yorku,DC=yorku,DC=ca
>
> NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
> TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
> Account : YORKU\LB-GPO Managers
> TransitiveAccount : YORKU\LB-GPO Managers
> AccountName : YORKU\LB-GPO Managers
> AccessControlType : Allow
> Rights : ExtendedRight
> RightsDisplay : Generate Resultant Set of Policy (Logging)
> Source : NotInherited
> ExtendedRight :
> CN=Generate-RSoP-Logging,CN=Extended-Rights,CN=Configuration,DC=yorku,DC=yorku,DC=ca
> ValidatedWrite :
> Property :
> PropertySet :
> ApplyTo : All
> ApplyToDisplay : This object and all child objects
> ApplyToType :
> ChildType :
>
> NativeAce : System.DirectoryServices.ActiveDirectoryAccessRule
> TargetObject : OU=LB,DC=YorkU,DC=YorkU,DC=CA
> Account : YORKU\LB-GPO Managers
> TransitiveAccount : YORKU\LB-GPO Managers
> AccountName : YORKU\LB-GPO Managers
> AccessControlType : Allow
> Rights : ExtendedRight
> RightsDisplay : Generate Resultant Set of Policy (Planning)
> Source : NotInherited
> ExtendedRight :
> CN=Generate-RSoP-Planning,CN=Extended-Rights,CN=Configuration,DC=yorku,DC=yorku,DC=ca
> ValidatedWrite :
> Property :
> PropertySet :
> ApplyTo : All
> ApplyToDisplay : This object and all child objects
> ApplyToType :
> ChildType :
>
> In the Effective Permission for the user it looks like they have the
> rights to Create GPO's
>
>
>
> Creation of GPO's is ghosted!!!
>
>
> Am I missing something here???
>
> Thanks,
> Troy
>
| | | |
|
|