Andy-
Yes, its possible. There are actually two steps here. If
you have GPMC, highlight the Group Policy Objects node on your domain and choose
the Delegation tab. From here, you can delegate which groups can create GPOs in
the domain. However, even if you remove Domain Admins from this list, what you
will notice is that, when a GPO gets created by someone legitimately, the Domain
Admins group will still have edit rights over that GPO. This is because the
defaultSecurityDescriptor attribute on the groupPolicyContainer schema class
object includes this group when any new objects are created. In order to change
this, you will need to modify this attribute in the schema (e.g. using ADSIEdit)
to remove that group from the SDDL list stored in that
attribute.
Darren
Darren Mar-Elia
For comprehensive
Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs,
video training, tools and whitepapers. Also check out the Windows
Group Policy Guide, the definitive resource for Group Policy
information.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andy Wang
Sent: Monday, July 31, 2006 12:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Revoke domain administrator's right to create GPO?
I have a Group Policy delegation question. By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. Since our company has lots of domain administrators, I'm thinking revoke domain administrators rights to create GPOs, then add only several of them to enterprise admin group / Group Policy Creator Owners. Is it possible?
Thanks in advance.
Andy
