Do they know more about GPO than you? Than give them the rights. Make
their work easier..and probably yours. What are you afraid of? That
someone will go wild on GPO and abuse your AD? Than turn on auditing.
-Z.V.
Larry Wahlers wrote:
Colleagues,
Our Microcomputer Support group wants the ability to create Group Policy
objects and apply them to various workstations. I've taken a few classes
in AD, but I'm a tad shaky on how to give these folks just barely enough
privs to create GPO's and only link them to the OU's I choose.
It would seem that I should add the whole Micro group to the "Group
Policy Creator Owners" group in the "Users" OU, but the description
"Members in this group can modify group policy for the domain" scares me
a bit.
Unless, of course, it is *also* necessary to use the Delegate Control
wizard on whatever OU's they need, thus limiting their power to link
GPO's to only those OU's.
All suggestions from you knowledgeable AD Admins gratefully accepted!
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
