How do I prevent a user from creating a Group Policy Object in Active Directory? (NETIQKB28268)

  • 7728268
  • 02-Feb-2007
  • 08-Sep-2008

Resolution

goal
How do I prevent a user from creating a Group Policy Object in Active Directory?

goal
How can I prevent Admins from creating GPOs using native tools in Active Directory?

fact
NetIQ Group Policy Administrator 5.0

fact
Group Policy Administrator 3.0

fact
Group Policy Administrator 4.x

fix

By default the following built-in groups have the permissions to create, modify, and\or delete a Group Policy Object in Active Directory:

  • Domain Admin
  • Enterprise Admin
  • Group Policy Creator Owners

In addition to the above groups, a user delegated Full Control permissions over an Organizational Unit also has access to modify a Group Policy Object.  In order to prevent this user from setting security, you may decide to give them only the Write - Allow permission.

You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.

For more information please refer to Microsoft KB article below:

Delegate Authority for Editing a Group Policy Object (GPO)

http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b221577



Additional Information

Formerly known as NETIQKB28268

Feedback service temporarily unavailable. For content questions or problems, please contact Support.