none
Delegate read access rights for a security group on all GPO's in a domain

    Question

  • Hi,

    I have created a security group and added some of the users in AD group. Now, I want to delegate read permission to a group for all GPO's in a domain.

    So, the users added in security group will able to view all GPO's and cannot modify them in domain.


    Sugandh

    Monday, April 24, 2017 7:49 AM

Answers

  • Hi,

    Thanks for your reply.

    We have checked through ADSIEDIt and checked the issue. User has access according to it. When we delegate read permission to user on GPO's it took time to replicate that's the reason why GPO is not able to view by User2. We have done replication and logg off and login again. User2 is able to view GPO's.

    I have applied read access to all users by adding authenticated users built-in group to all GPO's. Now all users are able to view GPO's.


    Sugandh

    Monday, May 01, 2017 8:41 AM

All replies

  • > I have created a security group and added some of the users in AD group. Now, I want to delegate read permission to a group for all GPO's in a domain.
     
    And what's preventing you from doing that?
     
    • Proposed as answer by Todd Heron Tuesday, April 25, 2017 12:21 AM
    Monday, April 24, 2017 2:11 PM
  • By default, all authenticated users should be able to read your AD objects. Unless if this has been changed, you can apply the needed permissions on the domain level and make sure that inheritance is not blocked on the OUs and containers level. For more details about delegation in AD, you can refer to the Wiki I started here: https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Todd Heron Tuesday, April 25, 2017 12:21 AM
    Monday, April 24, 2017 11:04 PM
  • Hi,

    When users open GPMC console they are not able to view some of the GPO's

    Message: The GPO is inaccessible because you do not have read level permissions on it.

    I have added two users account in Delegation Tab and gave read access to one GPO. User1 is able to view GPO which i have given read access and same inaccessible message is coming for user2.

    The logic I got now is we need to add security group for all GPO's in delegation tab for read level permission.

    Trying to figure it out. 


    Sugandh

    Tuesday, April 25, 2017 5:13 AM
  • Hi,
    Please check if the problematic user account has delegate deny permission on the GPO.
    And Using ADSIEDIT you'll find a "groupPolicyContainer" corresponding to the GUID of the problematic GPO under the "CN=Policies" object of the "CN=System" object in the Domain NC of the domain the GPO resides in, then please have a try using the "Security" tab of the "Properties" sheet for the GPC corresponding to the problematic GPO to set the permission for the problematic user account.
    In addition, here is a similar thread, you could also refer to the suggested methods in it to see if it helps:
    https://social.technet.microsoft.com/Forums/windows/en-US/0cc823b8-19d5-4cd0-b384-1d6e3da27491/group-policy-inaccessible?forum=winserverGP 
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, April 25, 2017 9:33 AM
    Moderator
  • Hi,

    Thanks for your reply.

    We have checked through ADSIEDIt and checked the issue. User has access according to it. When we delegate read permission to user on GPO's it took time to replicate that's the reason why GPO is not able to view by User2. We have done replication and logg off and login again. User2 is able to view GPO's.

    I have applied read access to all users by adding authenticated users built-in group to all GPO's. Now all users are able to view GPO's.


    Sugandh

    Monday, May 01, 2017 8:41 AM