• Article

Tip: Delegate Privileges for Group Policy Management

Follow Our Daily Tips

facebook.com/TechNetTips
twitter.com/TechNetTips
blogs.technet.com/tnmag
TechNet Tips library

In Active Directory, administrators are automatically granted permissions for performing different Group Policy management tasks. Other individuals can be granted such permissions through delegation. Here’s how.

Assign GPO Creation Rights: Administrators
In Active Directory, administrators have the ability to create GPOs in domains, and anyone who has created a GPO in a domain has the right to manage that GPO. To determine who can create GPOs in a domain, follow these steps:

  1. In the GPMC, expand the entry for the forest you want to work with and then expand the related Domains node.
  2. Expand the node for the domain you want to work with. If you don’t see the domain you want to work with, right-click Domains and then click Show Domains. You can then select the domains you want to display.
  3. Select the Group Policy Objects node. The users and groups who can create GPOs in the selected domain are listed on the Delegation tab.

Assign GPO Creation Rights: Non-Administrative Users
You can allow a nonadministrative user or a group (including users and groups from other domains) to create GPOs (and thus implicitly grant them the ability to manage the GPOs they’ve created). To grant GPO creation permission to a user or group, follow these steps:

  1. In the GPMC, expand the entry for the forest you want to work with and then expand the related Domains node.
  2. Expand the node for the domain you want to work with. If you don’t see the domain you want to work with, right-click Domains and then click Show Domains. You can then select the domains you want to display.
  3. Select the Group Policy Objects node. In the right pane, select the Delegation tab. The current GPO creation permissions for individual users and groups are listed. To grant the GPO creation permission to another user or group, click Add.
  4. In the Select User, Computer, Or Group dialog box, select the user or group you want to grant permissions to and then click OK.

The list of users and groups on the Delegation tab are updated as appropriate. If you want to remove the GPO creation permission in the future, access the Delegation tab, click the user or group, and then click Remove.

From Windows Group Policy Administrator’s Pocket Consultant by William Stanek.