Controlling GPO access

Here is the problem; I work for a Medium sized city with a decentralized IT operation. The main IT group wants to reign in control of GPOs. For the most part I do not have a problem with this, but I would like to retain control of Log on and Log off scripts. Is there a way for our main IT office to just give us control of that portion of a GPO or is it an all or nothing kind of thing? If it is possible how do you do it?
lsctechAsked:
Who is Participating?
 
Mike KlineCommented:
Yeah it is an all or nothing thing.
You can't for instance in a GPO have a delegation to only let someone create the IE lockdowns and nothing else.
I'm guessing the main IT group also has domain admin rights?   They can do what ever they want if that is the case.
There are ways to put change control into group policy.  Microsoft has Advanced Group Policy Management that can help with that
http://technet.microsoft.com/en-us/library/cc749396(WS.10).aspx
Third party tools can also help with that: (one example below)
http://netiq-news.com/products/gpa/default.asp
Thanks
Mike
0
 
lsctechAuthor Commented:
Thanks, Mike

I was affraid that was the answer I was going to get. I guess now it is time to plead my case. I think we are getting punished for the sins of other departments.
0
 
Mike KlineCommented:
I've been through something like that in the past.  Hopefully the main IT group will still give rights and access to the good people not in their group.  Sounds like you have a good grasp of things so hopefully you don't get punished to much.
Crappy thing about these situations is many times they are just as much (or more) political than technical.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.