GPO Access Rights



SunRace
07-09-2005, 10:52 PM
Hello,

I would like to allow Non Admin user's to edit and view GPO. I dont want
them to be able to make changes to the policy. How do I do that? Reason being
when I give Edit right ..they can make changes to the GPO. Is there any
scripting way which I can use for this?

Steven L Umbach
07-09-2005, 10:52 PM
If they can edit the GPO then they can change it. What exactly do you want
them to be able to do?? Offhand the only option I know is to give the
user/group write permission to the Group Policy but then they can edit and
change it but not delete or unlink it. --- Steve


"SunRace" <SunRace@discussions.microsoft.com> wrote in message
news:33BC012A-0CB3-4DC5-8901-FED4EEF58FE8@microsoft.com...
> Hello,
>
> I would like to allow Non Admin user's to edit and view GPO. I dont want
> them to be able to make changes to the policy. How do I do that? Reason
> being
> when I give Edit right ..they can make changes to the GPO. Is there any
> scripting way which I can use for this?

SunRace
07-09-2005, 10:52 PM
Whar I want them to do is ....just view what has been configured in it....and
not change anything ....

"Steven L Umbach" wrote:

> If they can edit the GPO then they can change it. What exactly do you want
> them to be able to do?? Offhand the only option I know is to give the
> user/group write permission to the Group Policy but then they can edit and
> change it but not delete or unlink it. --- Steve
>
>
> "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> news:33BC012A-0CB3-4DC5-8901-FED4EEF58FE8@microsoft.com...
> > Hello,
> >
> > I would like to allow Non Admin user's to edit and view GPO. I dont want
> > them to be able to make changes to the policy. How do I do that? Reason
> > being
> > when I give Edit right ..they can make changes to the GPO. Is there any
> > scripting way which I can use for this?
>
>
>

Steven L Umbach
07-09-2005, 10:52 PM
OK. I see when a user does not have write permission then they can only view
the properties tab. I don't know of a workaround offhand and you may want to
post in one of the Group Policy newsgroups. If the domain is Windows 2003
you can delegate Resultant Set of Policy logging and planning for a user if
that would help. --- Steve


"SunRace" <SunRace@discussions.microsoft.com> wrote in message
news:16FEC4F7-CDEE-4517-B27B-85AFC627C39C@microsoft.com...
> Whar I want them to do is ....just view what has been configured in
> it....and
> not change anything ....
>
> "Steven L Umbach" wrote:
>
>> If they can edit the GPO then they can change it. What exactly do you
>> want
>> them to be able to do?? Offhand the only option I know is to give the
>> user/group write permission to the Group Policy but then they can edit
>> and
>> change it but not delete or unlink it. --- Steve
>>
>>
>> "SunRace" <SunRace@discussions.microsoft.com> wrote in message
>> news:33BC012A-0CB3-4DC5-8901-FED4EEF58FE8@microsoft.com...
>> > Hello,
>> >
>> > I would like to allow Non Admin user's to edit and view GPO. I dont
>> > want
>> > them to be able to make changes to the policy. How do I do that? Reason
>> > being
>> > when I give Edit right ..they can make changes to the GPO. Is there any
>> > scripting way which I can use for this?
>>
>>
>>

SunRace
07-09-2005, 10:52 PM
Um Hu....even After doing that ....they can not edit the policy (view).

"Steven L Umbach" wrote:

> OK. I see when a user does not have write permission then they can only view
> the properties tab. I don't know of a workaround offhand and you may want to
> post in one of the Group Policy newsgroups. If the domain is Windows 2003
> you can delegate Resultant Set of Policy logging and planning for a user if
> that would help. --- Steve
>
>
> "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> news:16FEC4F7-CDEE-4517-B27B-85AFC627C39C@microsoft.com...
> > Whar I want them to do is ....just view what has been configured in
> > it....and
> > not change anything ....
> >
> > "Steven L Umbach" wrote:
> >
> >> If they can edit the GPO then they can change it. What exactly do you
> >> want
> >> them to be able to do?? Offhand the only option I know is to give the
> >> user/group write permission to the Group Policy but then they can edit
> >> and
> >> change it but not delete or unlink it. --- Steve
> >>
> >>
> >> "SunRace" <SunRace@discussions.microsoft.com> wrote in message
> >> news:33BC012A-0CB3-4DC5-8901-FED4EEF58FE8@microsoft.com...
> >> > Hello,
> >> >
> >> > I would like to allow Non Admin user's to edit and view GPO. I dont
> >> > want
> >> > them to be able to make changes to the policy. How do I do that? Reason
> >> > being
> >> > when I give Edit right ..they can make changes to the GPO. Is there any
> >> > scripting way which I can use for this?
> >>
> >>
> >>
>
>
>

Byron Hynes [MVP]
07-09-2005, 10:52 PM
> Hello,
>
> I would like to allow Non Admin user's to edit and view GPO. I dont
> want them to be able to make changes to the policy. How do I do that?
> Reason being when I give Edit right ..they can make changes to the
> GPO. Is there any scripting way which I can use for this?
>

I'm pretty sure the Group Policy Management Console (GPMC) combined with
appropriate permissions will get you the effect you want, if I understand
it correctly.

- Byron Hynes


GPO Access Rights