Delegating GPOs

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I've delegated an OU with some other OUs contained with it
to group A with all delegated rights.

On the OUs there are GPOs assigned. I've assigned FC
rights in AD Users and Computers on those GPOs to group A.

Group A used to be able to edit the GPOs that I've
assigned them FC rights to, but now they get an
error "Failed to save failed to save
ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
2C45E7CD7E5A}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf"

I've re-delegated the OU and deleted and reassigned rights
to Group A in AD Users and computers. The DCs seem to be
running fine, no errors, and no synchronization problems.

Any ideas what went wrong?
3 answers Last reply
More about delegating gpos
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Check that they still have write permissions to the GPO itself in
    GPO/properties/security. Check to see if a domain admin can edit and save the policy.
    If an admin can then it must be a permission issue, possibly to that policy folder in
    the sysvol share. You can find the policy number [unique name] in it's
    roperties. -- Steve


    "Mary Allio" <anonymous@discussions.microsoft.com> wrote in message
    news:051301c47fdf$a05e5db0$3501280a@phx.gbl...
    > I've delegated an OU with some other OUs contained with it
    > to group A with all delegated rights.
    >
    > On the OUs there are GPOs assigned. I've assigned FC
    > rights in AD Users and Computers on those GPOs to group A.
    >
    > Group A used to be able to edit the GPOs that I've
    > assigned them FC rights to, but now they get an
    > error "Failed to save failed to save
    > ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
    > 2C45E7CD7E5A}\Machine\Microsoft\Windows
    > NT\SecEdit\GptTmpl.inf"
    >
    > I've re-delegated the OU and deleted and reassigned rights
    > to Group A in AD Users and computers. The DCs seem to be
    > running fine, no errors, and no synchronization problems.
    >
    > Any ideas what went wrong?
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I've checked the GPO/properties/security, and the
    delegated users have Full Control. I checked the sysvol
    folder for the appropriate GPO, and the delegated users
    have Full Control. I have no problems as a domain admin
    to edit the GPO. I'm not sure where else to look for
    permission problems??


    >-----Original Message-----
    >Check that they still have write permissions to the GPO
    itself in
    >GPO/properties/security. Check to see if a domain admin
    can edit and save the policy.
    >If an admin can then it must be a permission issue,
    possibly to that policy folder in
    >the sysvol share. You can find the policy number [unique
    name] in it's
    >roperties. -- Steve
    >
    >
    >"Mary Allio" <anonymous@discussions.microsoft.com> wrote
    in message
    >news:051301c47fdf$a05e5db0$3501280a@phx.gbl...
    >> I've delegated an OU with some other OUs contained with
    it
    >> to group A with all delegated rights.
    >>
    >> On the OUs there are GPOs assigned. I've assigned FC
    >> rights in AD Users and Computers on those GPOs to group
    A.
    >>
    >> Group A used to be able to edit the GPOs that I've
    >> assigned them FC rights to, but now they get an
    >> error "Failed to save failed to save
    >> ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
    >> 2C45E7CD7E5A}\Machine\Microsoft\Windows
    >> NT\SecEdit\GptTmpl.inf"
    >>
    >> I've re-delegated the OU and deleted and reassigned
    rights
    >> to Group A in AD Users and computers. The DCs seem to
    be
    >> running fine, no errors, and no synchronization
    problems.
    >>
    >> Any ideas what went wrong?
    >
    >
    >.
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Mary-
    A couple of things. First off, make sure you are checking permissions on the
    instance of SYSVOL on the DC where those users are trying to edit the GPO.
    This usually defaults to the PDC role-holder DC. Also, its probably a good
    idea to check the equivalent permissions on the AD part of the GPO. This
    will be found under system\policies\<GUID of GPO> in AD Users and Computers.
    The permissions on the GUID-named container should be roughly equivalent to
    those found in the SYSVOL part of the GPO (I say roughly because AD perms
    and NTFS perms don't map 1-1 but you should see the same groups having
    roughly the same permissions). Also, make sure the permissions in SYSVOL are
    consistent all the way down the folder structure for that GPO. In other
    words, make sure that there isn't some permission corruption at the level of
    the \Machine\Microsoft\Windows NT\SecEdit\ folder that would be preventing
    you from writing the inf file.

    --
    Darren Mar-Elia
    MS-MVP-Windows Management
    http://www.gpoguy.com


    "Mary Allio" <anonymous@discussions.microsoft.com> wrote in message
    news:4f1d01c48063$d8542f90$a401280a@phx.gbl...
    > I've checked the GPO/properties/security, and the
    > delegated users have Full Control. I checked the sysvol
    > folder for the appropriate GPO, and the delegated users
    > have Full Control. I have no problems as a domain admin
    > to edit the GPO. I'm not sure where else to look for
    > permission problems??
    >
    >
    >>-----Original Message-----
    >>Check that they still have write permissions to the GPO
    > itself in
    >>GPO/properties/security. Check to see if a domain admin
    > can edit and save the policy.
    >>If an admin can then it must be a permission issue,
    > possibly to that policy folder in
    >>the sysvol share. You can find the policy number [unique
    > name] in it's
    >>roperties. -- Steve
    >>
    >>
    >>"Mary Allio" <anonymous@discussions.microsoft.com> wrote
    > in message
    >>news:051301c47fdf$a05e5db0$3501280a@phx.gbl...
    >>> I've delegated an OU with some other OUs contained with
    > it
    >>> to group A with all delegated rights.
    >>>
    >>> On the OUs there are GPOs assigned. I've assigned FC
    >>> rights in AD Users and Computers on those GPOs to group
    > A.
    >>>
    >>> Group A used to be able to edit the GPOs that I've
    >>> assigned them FC rights to, but now they get an
    >>> error "Failed to save failed to save
    >>> ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
    >>> 2C45E7CD7E5A}\Machine\Microsoft\Windows
    >>> NT\SecEdit\GptTmpl.inf"
    >>>
    >>> I've re-delegated the OU and deleted and reassigned
    > rights
    >>> to Group A in AD Users and computers. The DCs seem to
    > be
    >>> running fine, no errors, and no synchronization
    > problems.
    >>>
    >>> Any ideas what went wrong?
    >>
    >>
    >>.
    >>
Ask a new question

Read More

Computers Microsoft Windows