How do I prevent a user from creating a Group Policy Object in Active Directory?
How can I prevent Admins from creating GPOs using native tools in Active Directory?
NetIQ Group Policy Administrator 5.0
Group Policy Administrator 3.0
Group Policy Administrator 4.x
By default the following built-in groups have the permissions to create, modify, and\or delete a Group Policy Object in Active Directory:
- Domain Admin
- Enterprise Admin
- Group Policy Creator Owners
In addition to the above groups, a user delegated Full Control permissions over an Organizational Unit also has access to modify a Group Policy Object. In order to prevent this user from setting security, you may decide to give them only the Write - Allow permission.
You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.
For more information please refer to Microsoft KB article below:
Delegate Authority for Editing a Group Policy Object (GPO)