Tip: Delegate Control to Users to Work with GPOs

Follow Our Daily Tips

TechNet Tips library

You can allow a nonadministrative user or a group (including users and groups from other domains) to work with a domain, site, or OU GPO by granting one of three specific permissions:

Read Allows the user or group to view the GPO and its settings.
Edit Settings Allows the user or group to view the GPO and its settings and also change settings. The user or group cannot delete the GPO or modify security.
Edit Settings, Delete, Modify Security Allows the user or group to view the GPO and its settings and also change settings, delete the GPO, and modify security.

To grant these permissions to a user or group, follow these steps:

  1. In the GPMC, expand the entry for the forest you want to work with and then expand the related Domains node.
  2. Expand the node for the domain you want to work with. If you don’t see the domain you want to work with, right-click Domains and then click Show Domains. You can then select the domains you want to display.
  3. Select the Group Policy Objects node, and then select the GPO you want to work with in the left pane. In the right pane, select the Delegation tab.
  4. The current permissions for individual users and groups are listed. To grant permissions to another user or group, click Add.
  5. In the Select User, Computer, Or Group dialog box, select the user or group and then click OK.
  6. In the Add Group Or User dialog box, select the permission to grant: Read; Edit Settings; or Edit Settings, Delete, Modify Security. Click OK.

The list of users and groups on the Delegation tab is updated to reflect the permissions granted. If you want to remove this permission in the future, display the Delegation tab, click the user or group, and then click Remove.

From Windows Group Policy Administrator’s Pocket Consultant by William Stanek.