move objects between group policies rights

I would like to be able to allow user to manage group policy but not active
directory. However I need the abiltiy for that user to be able to move users
and computer in and out of different organizational groups to receive
differenet GP settings. Is there a way to do this and limit users role in
active directory to only allow objects to be moved in and out of GPOs? It is
fine to have full control of Group Policy.

Howdie!

2010 wrote:
> I would like to be able to allow user to manage group policy but not active
> directory. However I need the abiltiy for that user to be able to move users
> and computer in and out of different organizational groups to receive
> differenet GP settings. Is there a way to do this and limit users role in
> active directory to only allow objects to be moved in and out of GPOs? It is
> fine to have full control of Group Policy.

That's two different things:
(1) move users from OU to OU
(2) manage Group Policy

Is it necessary that you grant that user both permissions?

For (1), you need to use the "Delegation of Control" wizard in Active
Directory users and computers - or any other tool that is capable of
altering AD ACLs. To move objects, a user needs both "create" permission
in the new OU and "Delete object" permission in the old OU. Joe has an
explaination of this: http://blog.joeware.net/2005/07/17/48/

(2) This is a little more complicated as users need both access to the
GPC (the AD parts) and the GPT (the SYSVOL parts) of the policy. You can
grant pretty much all permission in GPMC.

Cheers,
Florian

Thanks. I am going to try to implement this today.

For the second part though, wouldn't adding the user to the "Group Policy
Creator Owners Group" give them these rights on the GPC and\or GPT parts of
Group Policy?

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> 2010 wrote:
> > I would like to be able to allow user to manage group policy but not active
> > directory. However I need the abiltiy for that user to be able to move users
> > and computer in and out of different organizational groups to receive
> > differenet GP settings. Is there a way to do this and limit users role in
> > active directory to only allow objects to be moved in and out of GPOs? It is
> > fine to have full control of Group Policy.
>
> That's two different things:
> (1) move users from OU to OU
> (2) manage Group Policy
>
> Is it necessary that you grant that user both permissions?
>
> For (1), you need to use the "Delegation of Control" wizard in Active
> Directory users and computers - or any other tool that is capable of
> altering AD ACLs. To move objects, a user needs both "create" permission
> in the new OU and "Delete object" permission in the old OU. Joe has an
> explaination of this: http://blog.joeware.net/2005/07/17/48/
>
> (2) This is a little more complicated as users need both access to the
> GPC (the AD parts) and the GPT (the SYSVOL parts) of the policy. You can
> grant pretty much all permission in GPMC.
>
> Cheers,
> Florian
> .
>

Howdie!

2010 schrieb:
> Thanks. I am going to try to implement this today.
>
> For the second part though, wouldn't adding the user to the "Group Policy
> Creator Owners Group" give them these rights on the GPC and\or GPT parts of
> Group Policy?

Not sure about that. It's been a while when I last had to do that. I
remember that, back then, I had to delegate another permission to the
user - that was write/delete the OU's "gpLink" attribute which is the
attribute where the "GPO link" is stored. You may also want to look into
that.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
ANY advice you get on the Newsgroups should be tested thoroughly in your
lab.