none
Rights to edit exisiting group policy but not create new group policies.

    Question

  • I'm not very familiar with Group Policy; however it's recently come up in an audit I'm performing and I've gotten curious.  Does anyone know if there is a way to configure member rights within the AD group, Group Policy Creator/Owner, in which the member can edit existing policies but not create new policies?

    Thanks,

    Monday, March 21, 2016 1:57 PM

Answers

  • Hi,
     
    Am 21.03.2016 um 14:57 schrieb Jordan Holloway:
    > in which the member can edit existing policies but
    > not create new policies?
     
    Use your own security groups and add this group to the desired GP with
    Edit rights. That can be done within GPMC.
     
    Or script it with Set-GPPermissions
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Proposed as answer by Avendil Monday, March 28, 2016 7:34 PM
    • Marked as answer by Yan Li_Moderator Wednesday, April 6, 2016 9:16 AM
    Monday, March 21, 2016 2:02 PM
  • Hi,
    As Mark said, it could be done by GPMC, please have a try the following article steps:
    1. In the GPMC, expand the entry for the forest you In the GPMC, expand the entry for the forest you want to work with and then expand the related Domains node.
    2. Expand the node for the domain you want to work with. If you don’t see the domain you want to work with, right-click Domains and then click Show Domains. You can then select the domains you want to display.
    3. Select the Group Policy Objects node. In the right pane, select the Delegation tab. The current GPO creation permissions for individual users and groups are listed.
    4. To restrict the GPO creation permission for user or group, select the user or group, then click remove.

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 24, 2016 6:27 AM
    Moderator

All replies

  • Hi,
     
    Am 21.03.2016 um 14:57 schrieb Jordan Holloway:
    > in which the member can edit existing policies but
    > not create new policies?
     
    Use your own security groups and add this group to the desired GP with
    Edit rights. That can be done within GPMC.
     
    Or script it with Set-GPPermissions
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Proposed as answer by Avendil Monday, March 28, 2016 7:34 PM
    • Marked as answer by Yan Li_Moderator Wednesday, April 6, 2016 9:16 AM
    Monday, March 21, 2016 2:02 PM
  • Hi,
    As Mark said, it could be done by GPMC, please have a try the following article steps:
    1. In the GPMC, expand the entry for the forest you In the GPMC, expand the entry for the forest you want to work with and then expand the related Domains node.
    2. Expand the node for the domain you want to work with. If you don’t see the domain you want to work with, right-click Domains and then click Show Domains. You can then select the domains you want to display.
    3. Select the Group Policy Objects node. In the right pane, select the Delegation tab. The current GPO creation permissions for individual users and groups are listed.
    4. To restrict the GPO creation permission for user or group, select the user or group, then click remove.

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 24, 2016 6:27 AM
    Moderator