Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2012 Group Policies and Policy Management : GPO Administrative Tasks - GPO Administrative Delegation

10/23/2013 1:53:32 AM
GPO administrative delegation is a process that administrators can follow to delegate permissions to specific users or configure security rights across all GPOs or specific GPOs and GPO-related tasks on specific Active Directory containers, such as sites, domains, and OUs.

GPO delegation or delegation of administration within Active Directory should only be used in organizations that have separate IT groups that manage the infrastructure and servers and other groups that manage the desktop and support the end user. If the IT group of an organization contains administrators who all perform GPO and Active Directory administration, adding a delegation model might not be necessary and can add unnecessary complexity.

All GPO administrative delegation tasks detailed in the following sections are performed using the Group Policy Management Console.

Delegating GPO Creation Rights

The right to create GPOs can be delegated only at the domain’s Group Policy Objects container and the Starter GPOs container. After a policy is created, though, the right to completely edit, modify security, and even delete the GPO can be granted on a per-GPO basis. To grant the right to create GPOs in a domain, follow these steps:

1. Log on to a designated administrative system running Windows Server 2012.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Group Policy Objects container and select it.

4. In the right pane, select the Delegation tab.

5. Click the Add button at the bottom of the pane.

6. Type in the name of the user account or security group, and click OK to apply the changes.

Alternatively, you could add the specific user or security group as a member of the Group Policy Creator Owners security group.

Delegating GPO Management Rights on Existing GPOs

After a group policy is created, it inherits a base set of administrative rights to completely edit the settings and modify the security of the policy. By default, administrative rights are granted to the Domain Admins, Enterprise Admins, and System objects. If the policy was created by a separate group or user that had been granted GPO creation rights, that object would also have these rights. If additional users or security groups need to be granted the right to edit the settings, manage the security, or delete a specific policy, follow these steps:

1. Log on to a designated administrative system running Windows Server 2012.

2. Open the Group Policy Management Console.

3. Expand the domain to expose the Group Policy Objects container and select it.

4. Expand the Group Policy Objects container to expose the domain GPOs.

5. Select the desired GPO and select the Delegation tab in the right pane.

6. At the bottom of the pane, click the Add button.

7. Type in the name of the specific user account or security group, and click OK.

8. In the Add Group or User window, click the Permissions drop-down arrow, and select the appropriate permission of Read, Edit Settings, or Edit Settings, Delete, Modify Security, and click OK to apply the changes.

Delegating GPO Administrative Tasks on Active Directory Containers

The GPMC enables administrators to delegate the rights to manage GPO links and perform testing and troubleshooting tasks at the site, domain, and OU container levels. To delegate GPO administrative rights over an Active Directory container, follow these steps:

1. Log on to a designated administrative workstation running Windows Server 2012.

2. Open the Group Policy Management Console.

3. Expand the Active Directory Forest container.

4. Select either the Domains or Sites node and expand it.

5. If the desired domain or site is not listed, right-click the node and select Show Domains or Show Sites and add the object as required.

6. Expand the Domains or Sites node to expose the container that will have the GPO delegation rights applied to it and select it.

7. In the right pane, select the Delegation tab.

8. On the Delegation tab, near the top of the pane, select the desired permission that will be delegated from the following options:

Link GPOs

Perform Group Policy Modeling Analyses

Read Group Policy Results Data

9. At the bottom of the pane, click the Add button.

10. Type in the name of the specific user account or security group and click OK.

11. In the Add Group or User window, click the Permissions drop-down arrow, and select the appropriate permission of This Container Only or This Container and All Child Containers, and click OK.


Note

Even though the right to perform Group Policy Modeling and view results data can be delegated at a container level, if the task is not performed on the domain controller, the user or group will also need to be a member of the domain’s Distributed COM Users security group.


Other -----------------
- Windows Server 2012 Group Policies and Policy Management : GPO Administrative Tasks - Troubleshooting Group Policies
- Windows Server 2012 Group Policies and Policy Management : GPO Administrative Tasks - Backing Up and Restoring Domain GPOs
- Windows Server 2012 Group Policies and Policy Management : GPO Administrative Tasks - Creating and Linking WMI Filters to GPOs
- Windows Server 2012 Group Policies and Policy Management : GPO Administrative Tasks - Creating and Using Starter GPOs
- Windows Server 2012 Group Policies and Policy Management : GPO Administrative Tasks - Creating a GPO Central Store
- Windows Server 2012 Group Policies and Policy Management : Designing a Group Policy Infrastructure
- Microsoft Lync Server 2013 : Deploying Lync Online - Configuring an Auto Attendant Number
- Microsoft Lync Server 2013 : Deploying Lync Online - Enabling Users for Exchange UM, Configuring a Subscriber Access Number
- Microsoft Lync Server 2013 : Deploying Lync Online - Configuring Lync-to-Phone, Creating a SIP URI Dial Plan
- Microsoft Lync Server 2013 : Deploying Lync Online - Configuring Dial-in Conferencing, Configuring Lync Properties for User Accounts
 
 
Top 10 video Game
-   Heroes Charge - Trio VW + EB + SIL vs WC FD CW EB Com
-   PlanetSide 2 | PS4 Launch Trailer 'Redefining Massive Warfare
-   DRIVECLUB | PS4 All-Action Trailer
-   Wave of Darkness [PC] Early Access Trailer
-   Tony Hawk's Pro Skater 5 | "THPS is Back" Trailer
-   Poly Bridge [PC] Trailer
-   Persona 5 | Leaked Trailer 2 w/ Dancing All Night
-   Evolve [PS4/XOne/PC] Lennox Gameplay Trailer
-   Lexus Slide | Real, rideable hoverboard
-   Gears of War: Ultimate Edition | Teaser Video
-   Rise of Incarnates [PC] Zeus Trailer
-   Heroes Reborn | The Extraordinary Among Us (Preview)
-   Battleborn | E3 2015 Gameplay Demo
-   Fortnite [PC] Mac Showcase Trailer
-   Overwatch [PC] Zarya Gameplay Trailer
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
PS4 game trailer XBox One game trailer
WiiU game trailer 3ds game trailer
Trailer game
 
programming4us
Heroes Charge
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer