Guest Mike Posted June 6, 2008 Posted June 6, 2008 So we logged in as a Domain Admin on Windows Vista SP1 and managed a native Windows Server 2003 Forest/Domain by GPMC. All DC's are R2/SP2. No schema updates for Vista/2008 have been applied. We created the Starter GPOs folder. We then delegated to a user group the permissions to Create Starter GPOs. We log in as a member of the delegated group (not domain admin) and unable to create Starter GPOs - we receive Access Denied. Looking on SYSVOL at the Starter GPO folder, it creates an empty GUID named folder. Of course if we log in as domain admin we can create/modify/delete starter gpos. Any ideas?
Guest Luca Chiaverini Posted June 24, 2008 Posted June 24, 2008 Re: Starter GPOs > So we logged in as a Domain Admin on Windows Vista SP1 and managed a > native > Windows Server 2003 Forest/Domain by GPMC. All DC's are R2/SP2. No schema > updates for Vista/2008 have been applied. > > We created the Starter GPOs folder. We then delegated to a user group the > permissions to Create Starter GPOs. > > We log in as a member of the delegated group (not domain admin) and unable > to create Starter GPOs - we receive Access Denied. Looking on SYSVOL at > the > Starter GPO folder, it creates an empty GUID named folder. > > Of course if we log in as domain admin we can create/modify/delete starter > gpos. > > Any ideas? > > Hello, there are several things in your post that are not clear. Installing SP1 on Windows Vista removes GPMC from Vista, and the way to have it back is actually installing RSAT (Remote Server Administration Tool) as you can see from here: http://blogs.technet.com/grouppolicy/archive/2008/04/03/gpmc-removed-from-vista-sp1.aspx Moreover, Starter GPOs are not available on Windows Server 2003, so you need to have Windows Server 2008 and update the schema consequently. At this point, you can follow the very good article under http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.html to successfully create starter GPOs. Just before the conclusion, here is what it says about "delegating the power": As with many other Windows features, you can delegate permissions to other users and/or groups. In this case you can delegate the permissions to create Starter GPOs in the domain. This is done from the "Delegation" tab which is visible only when the "Starter GPOs" container is selected in the tree view to the left, inside the GPMC (see Figure 11). Figure 11: The Delegation tab for Starter GPOs Behind the scenes this tab reflects the NTFS security permissions on the "StarterGPOs"-folder below SYSVOL (see above); only users and groups with the adequate permissions will show up in this view. Hope this might help you. Regards, Luca Chiaverini
Guest Mike Posted June 26, 2008 Posted June 26, 2008 Re: Starter GPOs "Luca Chiaverini" <lucchiav@hotmail.com> wrote in message news:#YD8#Ph1IHA.4220@TK2MSFTNGP02.phx.gbl... >> So we logged in as a Domain Admin on Windows Vista SP1 and managed a >> native >> Windows Server 2003 Forest/Domain by GPMC. All DC's are R2/SP2. No schema >> updates for Vista/2008 have been applied. >> >> We created the Starter GPOs folder. We then delegated to a user group >> the >> permissions to Create Starter GPOs. >> >> We log in as a member of the delegated group (not domain admin) and >> unable >> to create Starter GPOs - we receive Access Denied. Looking on SYSVOL at >> the >> Starter GPO folder, it creates an empty GUID named folder. >> >> Of course if we log in as domain admin we can create/modify/delete >> starter >> gpos. >> >> Any ideas? >> >> > > Hello, > > there are several things in your post that are not clear. > Installing SP1 on Windows Vista removes GPMC from Vista, and the way to > have it back is actually installing RSAT (Remote Server Administration > Tool) > as you can see from here: > http://blogs.technet.com/grouppolicy/archive/2008/04/03/gpmc-removed-from-vista-sp1.aspx > Moreover, Starter GPOs are not available on Windows Server 2003, so you > need to have Windows Server 2008 and update the schema consequently. > At this point, you can follow the very good article under > http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.html > to successfully create starter GPOs. > Just before the conclusion, here is what it says about "delegating the > power": > As with many other Windows features, you can delegate permissions to other > users and/or groups. In this case you can delegate the permissions to > create Starter GPOs in the domain. This is done from the "Delegation" tab > which is visible only when the "Starter GPOs" container is selected in the > tree view to the left, inside the GPMC (see Figure 11). > > > Figure 11: The Delegation tab for Starter GPOs > > Behind the scenes this tab reflects the NTFS security permissions on the > "StarterGPOs"-folder below SYSVOL (see above); only users and groups with > the adequate permissions will show up in this view. > > Hope this might help you. > > Regards, > > Luca Chiaverini > > > Hello Luca, Thanks for your informative reply. I'm a little confused reading your reply as you state Starter GPOs are not available on Windows Server 2003. I am using GPMC on Windows Vista with SP1 with RSAT to manage a native Windows Server 2003 Domain (without schema updates). Starter GPOs are available. GPMC gives you the option to create the Starter GPO folder and if you are a Domain Admin you can create and use Starter GPOs. You can even create new polices based on those Starter GPOs. I read through the delegating the power section of the link you provided and followed it to tee. In my scenario as described above the problem is that the delegation simply does not work unless the delegated group has domain admin privileges. Regards, Mike.
Guest Luca Chiaverini Posted July 2, 2008 Posted July 2, 2008 Re: Starter GPOs > Hello Luca, > > Thanks for your informative reply. > > I'm a little confused reading your reply as you state Starter GPOs are not > available on Windows Server 2003. I am using GPMC on Windows Vista with > SP1 with RSAT to manage a native Windows Server 2003 Domain (without > schema updates). Starter GPOs are available. GPMC gives you the option > to create the Starter GPO folder and if you are a Domain Admin you can > create and use Starter GPOs. You can even create new polices based on > those Starter GPOs. > > I read through the delegating the power section of the link you provided > and followed it to tee. In my scenario as described above the problem is > that the delegation simply does not work unless the delegated group has > domain admin privileges. > > Regards, > Mike. > Hello Mike, it's quite strange as I cannot find any official documentation regarding support for Starter GPOs before Windows Server 2008. For istance when you download Starter GPOs from http://www.microsoft.com/downloads/details.aspx?FamilyId=AE3DDBA7-AF7A-4274-9D34-1AD96576E823&displaylang=en it's clearly stated that Starter GPOs are introduced in Windows Server 2008. They must be managed with GPMC or RSAT to install the downloaded packages in the SYSVOL share, and they can be applied to Vista and XP SP2 clients. The fact that delegation does not work properly for you might be caused by the fact that you shouldn't even try to use them in a Windows 2003 environment... Server 2008 is still very new and there are many things which are not clear enough yet. Regards, Luca Chiaverini
Guest Mike Posted July 2, 2008 Posted July 2, 2008 Re: Starter GPOs "Luca Chiaverini" <lucchiav@hotmail.com> wrote in message news:%23eMbhAD3IHA.5024@TK2MSFTNGP03.phx.gbl... > >> Hello Luca, >> >> Thanks for your informative reply. >> >> I'm a little confused reading your reply as you state Starter GPOs are >> not available on Windows Server 2003. I am using GPMC on Windows Vista >> with SP1 with RSAT to manage a native Windows Server 2003 Domain (without >> schema updates). Starter GPOs are available. GPMC gives you the >> option to create the Starter GPO folder and if you are a Domain Admin you >> can create and use Starter GPOs. You can even create new polices based >> on those Starter GPOs. >> >> I read through the delegating the power section of the link you provided >> and followed it to tee. In my scenario as described above the problem is >> that the delegation simply does not work unless the delegated group has >> domain admin privileges. >> >> Regards, >> Mike. >> > > Hello Mike, > > it's quite strange as I cannot find any official documentation regarding > support for Starter GPOs before Windows Server 2008. > For istance when you download Starter GPOs from > http://www.microsoft.com/downloads/details.aspx?FamilyId=AE3DDBA7-AF7A-4274-9D34-1AD96576E823&displaylang=en > it's clearly stated that Starter GPOs are introduced in Windows Server > 2008. > They must be managed with GPMC or RSAT to install the downloaded packages > in the SYSVOL share, and they can be applied to Vista and XP SP2 clients. > The fact that delegation does not work properly for you might be caused by > the fact that you shouldn't even try to use them in a Windows 2003 > environment... > Server 2008 is still very new and there are many things which are not > clear enough yet. > > Regards, > Luca Chiaverini > Hi Luca, I suspect you're right. It does seem like a bug, because it does work under certain circumstances. My guess is they will release a KB article defining these limitations as by design and suggest we upgrade to server 2008. The documentation for Windows Server 2008 is in simpleton format. They have a lot of work to do to bring it up to a technical level, particularly with starter gpos. Thanks for your help. Regards, Mike.
Recommended Posts