All DCs : Windows 2003 SP2
DFL& FFL at Windows 2003
In our environment we have 500+ GPOs, I want to know which groups/users have been given rights to edit GPOs. and we need this list for each GPO.
Secondary question would be how do we change those rights through script.
Can it be done through script?
The Group Policy Management Console provides an API (see http://msdn.microsoft.com/en-us/library/dd901424(VS.85).aspx) that you can use to do what you want. There are a number of Powershell cmdlets that call these APIs, so if you're comfortable using Powershell you may be home free.
Here's an out-of-date article re: managing Group Policy using Powershell: http://technet.microsoft.com/en-us/magazine/2007.05.grouppolicy.aspx (I say "out-of-date" because there are new APIs and cmdlets available, per the previous link, that this article doesn't cover.)
You can look at the "permissions" on each GP by navigating to Group Policy Objects in the GPMC, selecting a GPO and clicking the delegation tab in the right pane.
I have no idea if this is scriptable.
You can look at the folder permissions on the parent folder for each GPO (scriptable with cacls or xcacls) to see the NTFS permissions on the folder where each GPO's components are stored. Since a portion of every GPO (the GPO template) are file system objects processed by the group policy client side extensions, the NTFS permissions listed should be a reflection of the permissions that each user\group has on the GPO (Read, Edit, etc.). Any entity listed with Full permission can Edit, Delete, and Modify security on the GPO. Any entity listed with Read permission can read the GPO (apply the GPO's settings). Any entitiy listed with Special access can edit the GPO.