FriendlyIT
asked on
AD Group Policy Object permissions problems
We have a number of incidents where people cannot amend group policies that they did not create (in a Windows Server 2012 domain).
On these objects, edit is greyed out, even when signed in as a domain administrator.
We are also aiming to give group policy permissions by Active Directory group as opposed to individual users.
I am wondering if there is a specific permission that I can give to the AD group in question that will allow them to edit all group policy objects without having to go through and manually change the permissions on individual objects.
Failing that, is there a quick way to change the permissions across the board and also to set it so those permissions are given as standard when new objects are created?
I appreciate any insight into this problem.
Jon
On these objects, edit is greyed out, even when signed in as a domain administrator.
We are also aiming to give group policy permissions by Active Directory group as opposed to individual users.
I am wondering if there is a specific permission that I can give to the AD group in question that will allow them to edit all group policy objects without having to go through and manually change the permissions on individual objects.
Failing that, is there a quick way to change the permissions across the board and also to set it so those permissions are given as standard when new objects are created?
I appreciate any insight into this problem.
Jon
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Shaun - that Powershell was perfect for the current policies and I will keep a note of it for the future.
Unfortunately Ayoub on the other hand, did not answer the question properly - it clearly states that this is a 2012 domain whereas he just word for word copy and pasted something from this page -
https://blogs.technet.microsoft.com/matthewms/2005/10/29/group-policies-and-access-denied/
This information actually related to Server 2003 and wasn't relevant in this case. A really lazy answer!
Unfortunately Ayoub on the other hand, did not answer the question properly - it clearly states that this is a 2012 domain whereas he just word for word copy and pasted something from this page -
https://blogs.technet.microsoft.com/matthewms/2005/10/29/group-policies-and-access-denied/
This information actually related to Server 2003 and wasn't relevant in this case. A really lazy answer!
This should fix the problem. If not, please check this link.