Delegate Permissions to Link Group Policy Objects
Applies To: Windows Server 2008
To delegate permissions to link Group Policy objects
In the Group Policy Management Console (GPMC) console tree, do one of the following:
To delegate permission to link Group Policy objects (GPOs) to either the domain or an organizational unit (OU), click the domain or the OU.
To delegate permission to link GPOs to a site, click the site.
In the results pane, click the Delegation tab.
In the Permission drop down-list box, select Link GPOs. Click Add.
In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or OU, and then click OK.
Click Locations, select either Entire Directory or the domain or OU containing the object to which you want to delegate permissions, and then click OK.
In the Enter the object name to select box, enter the name of the object to which you want to delegate permissions by doing one of the following:
If you know the name, type it and then click OK.
To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.
In the Add Group or User dialog box, in the Permissions drop-down list, select the level to which you want permissions to apply for this group or user, and then click OK.
To delegate permissions to link GPOs to a site, domain, or OU, you must have Modify Permissions on that site, domain, or OU. By default, only Domain Administrators and Enterprise Administrators have this permission.
Users and groups with permission to link GPOs to a specific site, domain, or OU can link GPOs, change link order, and set block inheritance on that site, domain, or OU.
You cannot remove groups and users that inherit permissions from a parent container.
Some entries in the Groups and users drop-down list, such as System, do not have an associated property dialog box, so Properties is unavailable for these entries.