Starter GPOs

[Mike]

So we logged in as a Domain Admin on Windows Vista SP1 and managed a native
Windows Server 2003 Forest/Domain by GPMC. All DC's are R2/SP2. No schema
updates for Vista/2008 have been applied.

We created the Starter GPOs folder. We then delegated to a user group the
permissions to Create Starter GPOs.

We log in as a member of the delegated group (not domain admin) and unable
to create Starter GPOs - we receive Access Denied. Looking on SYSVOL at the
Starter GPO folder, it creates an empty GUID named folder.

Of course if we log in as domain admin we can create/modify/delete starter
gpos.

Any ideas?

 

[Luca Chiaverini]

Re: Starter GPOs

> So we logged in as a Domain Admin on Windows Vista SP1 and managed a
> native
> Windows Server 2003 Forest/Domain by GPMC. All DC's are R2/SP2. No schema
> updates for Vista/2008 have been applied.
>
> We created the Starter GPOs folder. We then delegated to a user group the
> permissions to Create Starter GPOs.
>
> We log in as a member of the delegated group (not domain admin) and unable
> to create Starter GPOs - we receive Access Denied. Looking on SYSVOL at
> the
> Starter GPO folder, it creates an empty GUID named folder.
>
> Of course if we log in as domain admin we can create/modify/delete starter
> gpos.
>
> Any ideas?
>
>

Hello,

there are several things in your post that are not clear.
Installing SP1 on Windows Vista removes GPMC from Vista, and the way to have
it back is actually installing RSAT (Remote Server Administration Tool)
as you can see from here:
http://blogs.technet.com/grouppolicy/archive/2008/04/03/gpmc-removed-from-vista-sp1.aspx
Moreover, Starter GPOs are not available on Windows Server 2003, so you need
to have Windows Server 2008 and update the schema consequently.
At this point, you can follow the very good article under
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.html
to successfully create starter GPOs.
Just before the conclusion, here is what it says about "delegating the
power":
As with many other Windows features, you can delegate permissions to other
users and/or groups. In this case you can delegate the permissions to create
Starter GPOs in the domain. This is done from the "Delegation" tab which is
visible only when the "Starter GPOs" container is selected in the tree view
to the left, inside the GPMC (see Figure 11).


Figure 11: The Delegation tab for Starter GPOs

Behind the scenes this tab reflects the NTFS security permissions on the
"StarterGPOs"-folder below SYSVOL (see above); only users and groups with
the adequate permissions will show up in this view.

Hope this might help you.

Regards,

Luca Chiaverini

 

[Mike]

Re: Starter GPOs



"Luca Chiaverini" <lucchiav@hotmail.com> wrote in message
news:#YD8#Ph1IHA.4220@TK2MSFTNGP02.phx.gbl...
>> So we logged in as a Domain Admin on Windows Vista SP1 and managed a
>> native
>> Windows Server 2003 Forest/Domain by GPMC. All DC's are R2/SP2. No schema
>> updates for Vista/2008 have been applied.
>>
>> We created the Starter GPOs folder. We then delegated to a user group
>> the
>> permissions to Create Starter GPOs.
>>
>> We log in as a member of the delegated group (not domain admin) and
>> unable
>> to create Starter GPOs - we receive Access Denied. Looking on SYSVOL at
>> the
>> Starter GPO folder, it creates an empty GUID named folder.
>>
>> Of course if we log in as domain admin we can create/modify/delete
>> starter
>> gpos.
>>
>> Any ideas?
>>
>>
>
> Hello,
>
> there are several things in your post that are not clear.
> Installing SP1 on Windows Vista removes GPMC from Vista, and the way to
> have it back is actually installing RSAT (Remote Server Administration
> Tool)
> as you can see from here:
> http://blogs.technet.com/grouppolicy/archive/2008/04/03/gpmc-removed-from-vista-sp1.aspx
> Moreover, Starter GPOs are not available on Windows Server 2003, so you
> need to have Windows Server 2008 and update the schema consequently.
> At this point, you can follow the very good article under
> http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part1.html
> to successfully create starter GPOs.
> Just before the conclusion, here is what it says about "delegating the
> power":
> As with many other Windows features, you can delegate permissions to other
> users and/or groups. In this case you can delegate the permissions to
> create Starter GPOs in the domain. This is done from the "Delegation" tab
> which is visible only when the "Starter GPOs" container is selected in the
> tree view to the left, inside the GPMC (see Figure 11).
>
>
> Figure 11: The Delegation tab for Starter GPOs
>
> Behind the scenes this tab reflects the NTFS security permissions on the
> "StarterGPOs"-folder below SYSVOL (see above); only users and groups with
> the adequate permissions will show up in this view.
>
> Hope this might help you.
>
> Regards,
>
> Luca Chiaverini
>
>
>

Hello Luca,

Thanks for your informative reply.

I'm a little confused reading your reply as you state Starter GPOs are not
available on Windows Server 2003. I am using GPMC on Windows Vista with SP1
with RSAT to manage a native Windows Server 2003 Domain (without schema
updates). Starter GPOs are available. GPMC gives you the option to
create the Starter GPO folder and if you are a Domain Admin you can create
and use Starter GPOs. You can even create new polices based on those
Starter GPOs.

I read through the delegating the power section of the link you provided and
followed it to tee. In my scenario as described above the problem is that
the delegation simply does not work unless the delegated group has domain
admin privileges.

Regards,
Mike.

 

[Luca Chiaverini]

Re: Starter GPOs


> Hello Luca,
>
> Thanks for your informative reply.
>
> I'm a little confused reading your reply as you state Starter GPOs are not
> available on Windows Server 2003. I am using GPMC on Windows Vista with
> SP1 with RSAT to manage a native Windows Server 2003 Domain (without
> schema updates). Starter GPOs are available. GPMC gives you the option
> to create the Starter GPO folder and if you are a Domain Admin you can
> create and use Starter GPOs. You can even create new polices based on
> those Starter GPOs.
>
> I read through the delegating the power section of the link you provided
> and followed it to tee. In my scenario as described above the problem is
> that the delegation simply does not work unless the delegated group has
> domain admin privileges.
>
> Regards,
> Mike.
>

Hello Mike,

it's quite strange as I cannot find any official documentation regarding
support for Starter GPOs before Windows Server 2008.
For istance when you download Starter GPOs from
http://www.microsoft.com/downloads/...A7-AF7A-4274-9D34-1AD96576E823&displaylang=en
it's clearly stated that Starter GPOs are introduced in Windows Server 2008.
They must be managed with GPMC or RSAT to install the downloaded packages in
the SYSVOL share, and they can be applied to Vista and XP SP2 clients.
The fact that delegation does not work properly for you might be caused by
the fact that you shouldn't even try to use them in a Windows 2003
environment...
Server 2008 is still very new and there are many things which are not clear
enough yet.

Regards,
Luca Chiaverini

 

[Mike]

Re: Starter GPOs


"Luca Chiaverini" <lucchiav@hotmail.com> wrote in message
news:%23eMbhAD3IHA.5024@TK2MSFTNGP03.phx.gbl...
>
>> Hello Luca,
>>
>> Thanks for your informative reply.
>>
>> I'm a little confused reading your reply as you state Starter GPOs are
>> not available on Windows Server 2003. I am using GPMC on Windows Vista
>> with SP1 with RSAT to manage a native Windows Server 2003 Domain (without
>> schema updates). Starter GPOs are available. GPMC gives you the
>> option to create the Starter GPO folder and if you are a Domain Admin you
>> can create and use Starter GPOs. You can even create new polices based
>> on those Starter GPOs.
>>
>> I read through the delegating the power section of the link you provided
>> and followed it to tee. In my scenario as described above the problem is
>> that the delegation simply does not work unless the delegated group has
>> domain admin privileges.
>>
>> Regards,
>> Mike.
>>
>
> Hello Mike,
>
> it's quite strange as I cannot find any official documentation regarding
> support for Starter GPOs before Windows Server 2008.
> For istance when you download Starter GPOs from
> http://www.microsoft.com/downloads/...A7-AF7A-4274-9D34-1AD96576E823&displaylang=en
> it's clearly stated that Starter GPOs are introduced in Windows Server
> 2008.
> They must be managed with GPMC or RSAT to install the downloaded packages
> in the SYSVOL share, and they can be applied to Vista and XP SP2 clients.
> The fact that delegation does not work properly for you might be caused by
> the fact that you shouldn't even try to use them in a Windows 2003
> environment...
> Server 2008 is still very new and there are many things which are not
> clear enough yet.
>
> Regards,
> Luca Chiaverini
>

Hi Luca,

I suspect you're right. It does seem like a bug, because it does work under
certain circumstances. My guess is they will release a KB article defining
these limitations as by design and suggest we upgrade to server 2008.

The documentation for Windows Server 2008 is in simpleton format. They have
a lot of work to do to bring it up to a technical level, particularly with
starter gpos.

Thanks for your help.

Regards,
Mike.