Solved

Controlling GPO access

Posted on 2009-05-15
3
230 Views
Last Modified: 2012-05-07
Here is the problem; I work for a Medium sized city with a decentralized IT operation. The main IT group wants to reign in control of GPOs. For the most part I do not have a problem with this, but I would like to retain control of Log on and Log off scripts. Is there a way for our main IT office to just give us control of that portion of a GPO or is it an all or nothing kind of thing? If it is possible how do you do it?
0
Comment
Question by:lsctech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24398226
Yeah it is an all or nothing thing.
You can't for instance in a GPO have a delegation to only let someone create the IE lockdowns and nothing else.
I'm guessing the main IT group also has domain admin rights?   They can do what ever they want if that is the case.
There are ways to put change control into group policy.  Microsoft has Advanced Group Policy Management that can help with that
http://technet.microsoft.com/en-us/library/cc749396(WS.10).aspx
Third party tools can also help with that: (one example below)
http://netiq-news.com/products/gpa/default.asp
Thanks
Mike
0
 

Author Closing Comment

by:lsctech
ID: 31582013
Thanks, Mike

I was affraid that was the answer I was going to get. I guess now it is time to plead my case. I think we are getting punished for the sins of other departments.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24398766
I've been through something like that in the past.  Hopefully the main IT group will still give rights and access to the good people not in their group.  Sounds like you have a good grasp of things so hopefully you don't get punished to much.
Crappy thing about these situations is many times they are just as much (or more) political than technical.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question