| Author | Messages | |
joe1
Posts:33
 | | 07/20/2007 7:18 AM |
| RSOP permissions
Env: Windows 2003 R2 Active Directory
Using the principle of least permision, I'm trying to delegate the RSOP (planning & logging) rights to a group in AD. Using the Delegation wizard in ADUC I delegated the two rightsΏ] at the domain level to a Domain Local Group.
I have a user that is in a Global Group which is a member of this Local Group. The user is not a member of BUILTIN\Administrators, Domain Admins, Ent Admins, GPCO or any other highly privileged group. They *are* a local Admin of the Member server on which GPMC is installed.
When attempting to execute the Group Policy Modelling wizard, the user gets "Access Denied" when trying to get past the "Domain Controller Selection" screen.
Same result when trying to execute the Group Policy Results wizard.
I'd be grateful for any guidance to allow this user/group the ability to run RSOP with min privileges.
Thanks in advance,
Joe
Ώ] Generate Resultant Set of Policy (Planning) & Generate Resultant Set of Policy (Logging) | | | |
| joe1
Posts:33
| | 07/20/2007 1:57 AM |
| RSOP permissions
Thanks Will - that was it.
http://support.microsoft.com/kb/914047
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Holt,
WillSent: 20 July 2007 16:29To:
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] RSOP
permissions
Hi Joe,
Maybe DCOM access on the relevant DC's is
missing.
You could set this per GPO linked to you DC OU - Windows
Settings, Local Policies/Security Options, Other:
DCOM: Machine Launch Restrictions in Security Descriptor
Language (SDDL) syntax
You have split the rights between logging and
planningmeaning these rights groups need local launch and remote
activation.
You also need to ensure that thesethe necessary
security principalscan read the GPO's.
Hope this helps!
Will
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe
McNicholasSent: Friday, July 20, 2007 1:18 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] RSOP
permissions
Env: Windows 2003 R2 Active Directory
Using the principle of least permision, I'm trying
to delegate the RSOP (planning & logging) rights to a group in AD.
Using the Delegation wizard in ADUC I delegated the two rightsΏ] at the
domain level to a Domain Local Group.
I have a user that is in a Global Group which is a
member of this Local Group. The user is not a member of
BUILTIN\Administrators, Domain Admins, Ent Admins, GPCO or any other highly
privileged group. They *are* a local Admin of the Member server on which
GPMC is installed.
When attempting to execute the Group Policy
Modelling wizard, the user gets "Access Denied" when trying to get past the
"Domain Controller Selection" screen.
Same result when trying to execute the Group Policy
Results wizard.
I'd be grateful for any guidance to allow this
user/group the ability to run RSOP with min privileges.
Thanks in advance, Joe
Ώ] Generate Resultant Set of Policy (Planning)
& Generate Resultant Set of Policy (Logging) | | | |
| holtw
Posts:1
| | 07/20/2007 11:29 AM |
| RSOP permissions
Hi Joe,
Maybe DCOM access on the relevant DC's is
missing.
You could set this per GPO linked to you DC OU - Windows
Settings, Local Policies/Security Options, Other:
DCOM: Machine Launch Restrictions in Security Descriptor
Language (SDDL) syntax
You have split the rights between logging and
planningmeaning these rights groups need local launch and remote
activation.
You also need to ensure that thesethe necessary
security principalscan read the GPO's.
Hope this helps!
Will
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Joe
McNicholasSent: Friday, July 20, 2007 1:18 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] RSOP
permissions
Env: Windows 2003 R2 Active Directory
Using the principle of least permision, I'm trying
to delegate the RSOP (planning & logging) rights to a group in AD.
Using the Delegation wizard in ADUC I delegated the two rightsΏ] at the
domain level to a Domain Local Group.
I have a user that is in a Global Group which is a
member of this Local Group. The user is not a member of
BUILTIN\Administrators, Domain Admins, Ent Admins, GPCO or any other highly
privileged group. They *are* a local Admin of the Member server on which
GPMC is installed.
When attempting to execute the Group Policy
Modelling wizard, the user gets "Access Denied" when trying to get past the
"Domain Controller Selection" screen.
Same result when trying to execute the Group Policy
Results wizard.
I'd be grateful for any guidance to allow this
user/group the ability to run RSOP with min privileges.
Thanks in advance, Joe
Ώ] Generate Resultant Set of Policy (Planning)
& Generate Resultant Set of Policy (Logging) | | | |
|
|