Sign in with
Sign up | Sign in
Your question

Delegating GPOs

Last response: in Windows 2000/NT
Share
Anonymous
August 11, 2004 5:13:11 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I've delegated an OU with some other OUs contained with it
to group A with all delegated rights.

On the OUs there are GPOs assigned. I've assigned FC
rights in AD Users and Computers on those GPOs to group A.

Group A used to be able to edit the GPOs that I've
assigned them FC rights to, but now they get an
error "Failed to save failed to save
ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
2C45E7CD7E5A}\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf"

I've re-delegated the OU and deleted and reassigned rights
to Group A in AD Users and computers. The DCs seem to be
running fine, no errors, and no synchronization problems.

Any ideas what went wrong?

More about : delegating gpos

Anonymous
August 12, 2004 4:15:56 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Check that they still have write permissions to the GPO itself in
GPO/properties/security. Check to see if a domain admin can edit and save the policy.
If an admin can then it must be a permission issue, possibly to that policy folder in
the sysvol share. You can find the policy number [unique name] in it's
roperties. -- Steve


"Mary Allio" <anonymous@discussions.microsoft.com> wrote in message
news:051301c47fdf$a05e5db0$3501280a@phx.gbl...
> I've delegated an OU with some other OUs contained with it
> to group A with all delegated rights.
>
> On the OUs there are GPOs assigned. I've assigned FC
> rights in AD Users and Computers on those GPOs to group A.
>
> Group A used to be able to edit the GPOs that I've
> assigned them FC rights to, but now they get an
> error "Failed to save failed to save
> ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
> 2C45E7CD7E5A}\Machine\Microsoft\Windows
> NT\SecEdit\GptTmpl.inf"
>
> I've re-delegated the OU and deleted and reassigned rights
> to Group A in AD Users and computers. The DCs seem to be
> running fine, no errors, and no synchronization problems.
>
> Any ideas what went wrong?
Anonymous
August 12, 2004 8:59:39 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I've checked the GPO/properties/security, and the
delegated users have Full Control. I checked the sysvol
folder for the appropriate GPO, and the delegated users
have Full Control. I have no problems as a domain admin
to edit the GPO. I'm not sure where else to look for
permission problems??


>-----Original Message-----
>Check that they still have write permissions to the GPO
itself in
>GPO/properties/security. Check to see if a domain admin
can edit and save the policy.
>If an admin can then it must be a permission issue,
possibly to that policy folder in
>the sysvol share. You can find the policy number [unique
name] in it's
>roperties. -- Steve
>
>
>"Mary Allio" <anonymous@discussions.microsoft.com> wrote
in message
>news:051301c47fdf$a05e5db0$3501280a@phx.gbl...
>> I've delegated an OU with some other OUs contained with
it
>> to group A with all delegated rights.
>>
>> On the OUs there are GPOs assigned. I've assigned FC
>> rights in AD Users and Computers on those GPOs to group
A.
>>
>> Group A used to be able to edit the GPOs that I've
>> assigned them FC rights to, but now they get an
>> error "Failed to save failed to save
>> ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
>> 2C45E7CD7E5A}\Machine\Microsoft\Windows
>> NT\SecEdit\GptTmpl.inf"
>>
>> I've re-delegated the OU and deleted and reassigned
rights
>> to Group A in AD Users and computers. The DCs seem to
be
>> running fine, no errors, and no synchronization
problems.
>>
>> Any ideas what went wrong?
>
>
>.
>
Anonymous
August 12, 2004 1:46:28 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Mary-
A couple of things. First off, make sure you are checking permissions on the
instance of SYSVOL on the DC where those users are trying to edit the GPO.
This usually defaults to the PDC role-holder DC. Also, its probably a good
idea to check the equivalent permissions on the AD part of the GPO. This
will be found under system\policies\<GUID of GPO> in AD Users and Computers.
The permissions on the GUID-named container should be roughly equivalent to
those found in the SYSVOL part of the GPO (I say roughly because AD perms
and NTFS perms don't map 1-1 but you should see the same groups having
roughly the same permissions). Also, make sure the permissions in SYSVOL are
consistent all the way down the folder structure for that GPO. In other
words, make sure that there isn't some permission corruption at the level of
the \Machine\Microsoft\Windows NT\SecEdit\ folder that would be preventing
you from writing the inf file.

--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Mary Allio" <anonymous@discussions.microsoft.com> wrote in message
news:4f1d01c48063$d8542f90$a401280a@phx.gbl...
> I've checked the GPO/properties/security, and the
> delegated users have Full Control. I checked the sysvol
> folder for the appropriate GPO, and the delegated users
> have Full Control. I have no problems as a domain admin
> to edit the GPO. I'm not sure where else to look for
> permission problems??
>
>
>>-----Original Message-----
>>Check that they still have write permissions to the GPO
> itself in
>>GPO/properties/security. Check to see if a domain admin
> can edit and save the policy.
>>If an admin can then it must be a permission issue,
> possibly to that policy folder in
>>the sysvol share. You can find the policy number [unique
> name] in it's
>>roperties. -- Steve
>>
>>
>>"Mary Allio" <anonymous@discussions.microsoft.com> wrote
> in message
>>news:051301c47fdf$a05e5db0$3501280a@phx.gbl...
>>> I've delegated an OU with some other OUs contained with
> it
>>> to group A with all delegated rights.
>>>
>>> On the OUs there are GPOs assigned. I've assigned FC
>>> rights in AD Users and Computers on those GPOs to group
> A.
>>>
>>> Group A used to be able to edit the GPOs that I've
>>> assigned them FC rights to, but now they get an
>>> error "Failed to save failed to save
>>> ov\SysVol\Domain.gov\Policies\{18F0E4FA-C1A6-4565-BA82-
>>> 2C45E7CD7E5A}\Machine\Microsoft\Windows
>>> NT\SecEdit\GptTmpl.inf"
>>>
>>> I've re-delegated the OU and deleted and reassigned
> rights
>>> to Group A in AD Users and computers. The DCs seem to
> be
>>> running fine, no errors, and no synchronization
> problems.
>>>
>>> Any ideas what went wrong?
>>
>>
>>.
>>
!