Organizational Unit Controller Cannot Edit Group Policy Objects (233548)

SYMPTOMS

After you assign complete control of an Organizational Unit (OU) to a user or group using the Active Directory Users And Computers snap-in for Microsoft Management Console (MMC), that user or group may not be able to edit or create Group Policy objects.

NOTE: The user or members of the group can create a new computer, user, group, and printer object in the container.

RESOLUTION

To resolve this issue, add the user or group to the Group Policy Creator Owners security group. To do this, follow these steps:

NOTE: The computer needs to be a Domain Controller to have Active Directory installed and Active Directory utilities available for these steps.

Open the Active Directory Users And Computers snap-in using the MMC tool.
Click to expand the Domain's Directory structure, and then click Users OU to open and view domain users and groups.
Double-click Group Policy Creator Owners
On the Members tab, click Add, and then click to add the user or group you want.
Click OK.

For More information about delegation of Group Policy control, please see the following article in the Microsoft Knowledge Base:

221577 How to Delegate Authority for Editing a Group Policy Object

For More information about creating customer MMC snap-ins if Active Directory Users And Computers is not listed in the Administrative Tools of the Domain Controller, please see the following article in the Microsoft Knowledge Base:

230263 How to Create Custom MMC Snap-in Tools

Organizational Unit Controller Cannot Edit Group Policy Objects (233548)

SYMPTOMS

CAUSE

RESOLUTION

STATUS