How do I prevent a user from creating a Group Policy Object in Active Directory? (NETIQKB28268)

  • 7728268
  • 02-Feb-2007
  • 08-Sep-2008


How do I prevent a user from creating a Group Policy Object in Active Directory?

How can I prevent Admins from creating GPOs using native tools in Active Directory?

NetIQ Group Policy Administrator 5.0

Group Policy Administrator 3.0

Group Policy Administrator 4.x


By default the following built-in groups have the permissions to create, modify, and\or delete a Group Policy Object in Active Directory:

  • Domain Admin
  • Enterprise Admin
  • Group Policy Creator Owners

In addition to the above groups, a user delegated Full Control permissions over an Organizational Unit also has access to modify a Group Policy Object.  In order to prevent this user from setting security, you may decide to give them only the Write - Allow permission.

You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.

For more information please refer to Microsoft KB article below:

Delegate Authority for Editing a Group Policy Object (GPO)

Additional Information

Formerly known as NETIQKB28268

Feedback service temporarily unavailable. For content questions or problems, please contact Support.