GPO administrative delegation is a process
that administrators can follow to delegate permissions to specific
users or configure security rights across all GPOs or specific GPOs and
GPO-related tasks on specific Active Directory containers, such as
sites, domains, and OUs.
GPO delegation or delegation of
administration within Active Directory should only be used in
organizations that have separate IT groups that manage the
infrastructure and servers and other groups that manage the desktop and
support the end user. If the IT group of an organization contains
administrators who all perform GPO and Active Directory administration,
adding a delegation model might not be necessary and can add
unnecessary complexity.
All GPO administrative delegation tasks
detailed in the following sections are performed using the Group Policy
Management Console.
Delegating GPO Creation Rights
The right to create GPOs can be delegated
only at the domain’s Group Policy Objects container and the Starter
GPOs container. After a policy is created, though, the right to
completely edit, modify security, and even delete the GPO can be
granted on a per-GPO basis. To grant the right to create GPOs in a
domain, follow these steps:
1. Log on to a designated administrative system running Windows Server 2012.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects container and select it.
4. In the right pane, select the Delegation tab.
5. Click the Add button at the bottom of the pane.
6. Type in the name of the user account or security group, and click OK to apply the changes.
Alternatively, you could add the specific user or security group as a member of the Group Policy Creator Owners security group.
Delegating GPO Management Rights on Existing GPOs
After a group policy is created, it inherits
a base set of administrative rights to completely edit the settings and
modify the security of the policy. By default, administrative rights
are granted to the Domain Admins, Enterprise Admins, and System
objects. If the policy was created by a separate group or user that had
been granted GPO creation rights, that object would also have these
rights. If additional users or security groups need to be granted the
right to edit the settings, manage the security, or delete a specific
policy, follow these steps:
1. Log on to a designated administrative system running Windows Server 2012.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects container and select it.
4. Expand the Group Policy Objects container to expose the domain GPOs.
5. Select the desired GPO and select the Delegation tab in the right pane.
6. At the bottom of the pane, click the Add button.
7. Type in the name of the specific user account or security group, and click OK.
8. In the Add Group or
User window, click the Permissions drop-down arrow, and select the
appropriate permission of Read, Edit Settings, or Edit Settings,
Delete, Modify Security, and click OK to apply the changes.
Delegating GPO Administrative Tasks on Active Directory Containers
The GPMC enables administrators to delegate
the rights to manage GPO links and perform testing and troubleshooting
tasks at the site, domain, and OU container levels. To delegate GPO
administrative rights over an Active Directory container, follow these
steps:
1. Log on to a designated administrative workstation running Windows Server 2012.
2. Open the Group Policy Management Console.
3. Expand the Active Directory Forest container.
4. Select either the Domains or Sites node and expand it.
5.
If the desired domain or site is not listed, right-click the node and
select Show Domains or Show Sites and add the object as required.
6. Expand the Domains or Sites node to expose the container that will have the GPO delegation rights applied to it and select it.
7. In the right pane, select the Delegation tab.
8. On the Delegation
tab, near the top of the pane, select the desired permission that will
be delegated from the following options:
Link GPOs
Perform Group Policy Modeling Analyses
Read Group Policy Results Data
9. At the bottom of the pane, click the Add button.
10. Type in the name of the specific user account or security group and click OK.
11. In the Add Group
or User window, click the Permissions drop-down arrow, and select the
appropriate permission of This Container Only or This Container and All
Child Containers, and click OK.
Note
Even though the right to perform Group Policy
Modeling and view results data can be delegated at a container level,
if the task is not performed on the domain controller, the user or
group will also need to be a member of the domain’s Distributed COM
Users security group.