Delegate permission to full control OU (GPO):getting access is denied. Server Operator can do it.

[Marlon Brown]

I go to a CertainOU and I attempt to give Myadmin ability to full control
that one, including create GPOs.
MyAdmin is member of Group Policy Creator Owner.

When Myadmin right click the OU and attemp to create "new" to create a new
group policy, he is getting message 'You do not have permission to perform
this operation - access is denied'.

What's wrong ?

If I add the fellow to the "Server Operators" group he is able to accomplish
the task just fine. I am unsure if he is successfull because the Server
Operator has read+execute permissions to Sysvol ? I see that Authenticated
user also has r+x to Sysvol and therefore that doesn't explain...

 

[Tim Springston [MS]]

Hi Marlon-

This could be dependant on other security group memberships which that user
is a member of, however, the granular permission that the user should need
is "Create groupPolicyContainer objects" and "Delete groupPolicyContainer
objects".

This is viewable from Active Directory Users and Computers (DSA.MSC), from
the properties of the OU->Security folder tab->Advanced.

Please repost if adding that user to have those Allow permissions does not
help.

 

[Marlon Brown]

Yes, the permissions below are checked for MyAdmin, but he is still getting
the 'access is denied' message.
I created a copy account named TestMyadmin (domain user only and member of
ControlOU group, which has full-control over that OU) and the problem
persists. Any other suggestions ?

 

[Marlon Brown]

Found the problem:
Compared \sysvol with a clean Win2000 setup and it seems somebody removed
GrouPolicy Creator owner from the \sysvol share.

 

[Tim Springston [MS]]

That would certainly do it as well. Since there are two components to group
policies (the AD one and the file systen one in the SYSVOL share) the user
must have allow permissions to both for that action.