Our AD domain and forest functional level is 2012R2 and we need to delegate permissions to a few admins to create GPOs and link them to a few specific OUs they control and manage. They should not be members of the Group Policy Creator Owners group.
As per Microsoft's own text, they have been delegated rights in the GPMC to the Group Policy Objects container, and have full control permission already over their own OUs. However, they get 'access denied' everytime they try and create a new GPO (although
they can amend existing ones). I do not see any means to see the level of access given to delegates on the Group Policy Objects container, its seems to just be on or off. How can I sort this so they have rights to create objects which will only get applied
as per the OU permissions? From what I have read, quite possibly modifying the NTFS permissions on the sysvol\policies folder would do it, but that really would be an absolute last resort and it would definitely not be something that could be done without
a long and convoluted risk assessment etc. Hope someone can help, thanks.
Edit: Have checked the ACL of the 'groupPolicyContainer' in the schema, and the group in question have the following:
Allow domain\admingroupB SPECIAL ACCESS for groupPolicyContainer
CREATE CHILD
The Group Policy Creators Owners group has exactly the same displayed.....