Resolution
How do I prevent a user from creating a Group Policy Object in Active Directory?
goal
How can I prevent Admins from creating GPOs using native tools in Active Directory?
fact
NetIQ Group Policy Administrator 5.0
fact
Group Policy Administrator 3.0
fact
Group Policy Administrator 4.x
fix
By default the following built-in groups have the permissions to create, modify, and\or delete a Group Policy Object in Active Directory:
- Domain Admin
- Enterprise Admin
- Group Policy Creator Owners
In addition to the above groups, a user delegated Full Control permissions over an Organizational Unit also has access to modify a Group Policy Object. In order to prevent this user from setting security, you may decide to give them only the Write - Allow permission.
You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.
For more information please refer to Microsoft KB article below:
Delegate Authority for Editing a Group Policy Object (GPO)
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b221577