IT Employment



"Group Policy Objects" permissions not applying to individual objects?

By josh92982 ·
Hi All,

I am using the Group Policy Management console to administer Group Policy in another domain. I am able to connect to and read all objects fine. I am able to create new objects, edit the objects I've just created, and link all objects.

The problem is that I cannot edit pre-existing individual GPOs--objects that were created from the local DC. Shouldn't the permissions applied to the "Group Policy Objects" container (using the "delegation" tab) filter down to all individual objects?

I would prefer not to have to log into the local DC and grant myself permission on every single GPO created from there (x 20 locations/domains).


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

It's designed to not let you do that.

by Absolutely In reply to "Group Policy Objects" pe ...

"Domain password policies may be enabled and linked at the domain only. This limitation is because of the design of where these values are stored in Active Directory. Password policy settings, such as Minimum Password age, Maximum Password age, and Minimum Password length are stored as attributes on the domain object in Active Directory. The current design does not allow these values to read from any other object. Password policy settings linked at other containers will not affect domain users, but will apply to local users of the computer."

Managing Security Policy
Q. Why can I set password policies only at the domain level?

So, whose network are you trying to crack?

Collapse -

20 Different Domains?

by scott_heath In reply to "Group Policy Objects" pe ...

Uh, maybe someone should rethink the domain structure if possible. You don't have to have unique domains for each site.

Related Discussions

Related Forums