NetIQ Group Policy Administrator 3.0
NetIQ Group Policy Administrator 4.x
NetIQ Group Policy Administrator 5.0
Users are given full control of Group Policies that they have been delegated to create within the Repository
This is due to native Operating System (OS) behavior.
If you delegate a user to be able to create a Group Policy Object (GPO) in the Repository and the user is not an Administrator, the Security descriptor on the GPO will give that specific user the rights to modify the GPO if the user is a non-admin. This is native OS behavior. If the OS sees a user has the rights to create something, it automatically grants any other rights needed to allow them to edit it as well. This is only an issue for non-Admin users.
This creates an issue when trying to export the GPO to Active Directory. If the GPO is exported, the user will now have the rights to modify the GPO live in Active Directory. This counteracts the positioning of the product for delegation and off line administration. A ticket has been opened to development to investigate changing this behavior in future release of GPA.
To workaround this issue:
- Import the GPO from Active Directory into the Repository (This brings the security of the GPO into Active Directory).
- Have an Admin create the GPO's in the Repository.
- Make modifying the security descriptor of a Group Policy part of the workflow for approving a group policy to be exported to Active Directory.