In Active Directory, administrators are automatically granted permissions for performing different Group Policy management tasks. Other individuals can be granted such permissions through delegation. In Active Directory, you delegate Group Policy management permissions for very specific reasons. You delegate to allow a user who is not a member of Enterprise Admins or Domain Admins to perform any or all of the following tasks:
View settings, change settings, delete a GPO, and modify security
Manage links to existing GPOs or generate RSoP
Create GPOs (and therefore also be able to manage any GPOs she has created)
The sections that follow explain how you can determine who has these permissions and how to grant these permissions to additional users and groups.
In Active Directory, administrators have the ability to create GPOs in domains, and anyone who has created a GPO in a domain has the right to manage that GPO. To determine who can create GPOs in a domain, follow these steps:
Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console. Or type gpmc.msc at a command prompt.
Expand the entry for the forest you want to work with, expand the related Domains node, and then select the Group Policy Objects node.
As shown in Figure 2-11, the users and groups who can create GPOs in the selected domain are listed on the Delegation tab.
You can allow a nonadministrative user or a group (including users and groups from other domains) to create GPOs (and thus implicitly grant them the ability to manage the GPOs they’ve created). To grant GPO creation permission to a user or group, follow these steps:
Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console. Or type gpmc.msc at a command prompt.
Expand the entry for the forest you want to work with, expand the related Domains node, and then select the Group Policy Objects node.
In the right pane, select the Delegation tab. The current GPO creation permissions for individual users and groups are listed. To grant the GPO creation permission to another user or group, click Add.
In the Select User, Computer, Or Group dialog box, select the user or group and then click OK.
The options on the Delegation tab are updated as appropriate. If you want to remove the GPO creation permission in the future, access the Delegation tab, click the user or group, and then click Remove.
The GPMC provides several ways to determine who has access permissions for Group Policy management. To determine Group Policy permissions for a specific site, domain, or OU, follow these steps:
Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console. Or type gpmc.msc at a command prompt.
Expand the entry for the forest you want to work with, and then expand the related Domains or Sites node as appropriate.
When you select the domain, site, or OU you want to work with, the right pane is updated with several tabs. Select the Delegation tab (shown in Figure 2-12).
In the Permission list, select the permission you want to check. The options are:
Link GPOs. The user or group can create and manage links to GPOs in the selected site, domain, or OU.
Perform Group Policy Modeling Analyses. The user or group can determine RSoP for the purposes of planning.
Read Group Policy Results Data. The user or group can determine RSoP that is currently being applied, for the purposes of verification or logging.
The individual users or groups with the selected permissions are listed under Groups And Users.
To determine which users or groups have access to a particular GPO and what permissions have been granted to them, follow these steps:
Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console. Or type gpmc.msc at a command prompt.
Expand the entry for the forest you want to work with, expand the related Domains node, and then select the Group Policy Objects node.
When you select the GPO whose permissions you want to check, the right pane is updated with several tabs. Select the Delegation tab (shown in Figure 2-13).
The permissions for individual users and groups are listed. You’ll see three general types of allowed permissions:
Read. The user or group can view the GPO and its settings.
Edit Settings. The user or group can view the GPO and its settings. The user or group can also change settings—but not delete the GPO or modify security.
Edit Settings, Delete, Modify Security. The user or group can view the GPO and its settings. The user or group can also change settings, delete the GPO, and modify security.
You can allow a nonadministrative user or a group (including users and groups from other domains) to work with a domain, site, or OU GPO by granting one of three specific permissions:
Read. Allows the user or group to view the GPO and its settings.
Edit Settings. Allows the user or group to view the GPO and its settings. The user or group can also change settings—but not delete the GPO or modify security.
Edit Settings, Delete, Modify Security. Allows the user or group to view the GPO and its settings. The user or group can also change settings, delete the GPO, and modify security.
To grant these permissions to a user or group, follow these steps:
Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console. Or type gpmc.msc at a command prompt.
Expand the entry for the forest you want to work with, expand the related Domains node, and then select the Group Policy Objects node.
Select the GPO you want to work with in the left pane. In the right pane, select the Delegation tab.
The current permissions for individual users and groups are listed. To grant permissions to another user or group, click Add.
In the Select User, Computer, Or Group dialog box, select the user or group and then click OK.
In the Add Group Or User dialog box (shown in Figure 2-14), select the permission to grant: Read, Edit Settings, or Edit Settings, Delete, Modify Security. Click OK.
The options of the Delegation tab are updated to reflect the permissions granted. If you want to remove this permission in the future, access the Delegation tab, click the user or group, and then click Remove.
You can allow a nonadministrative user or a group (including users and groups from other domains) to manage GPO links and RSoP. The related permissions can be granted in any combination and are defined as follows:
Link GPOs. Allows the user or group to create and manage links to GPOs in the selected site, domain, or OU.
Perform Group Policy Modeling Analyses. Allows the user or group to determine RSoP for the purposes of planning.
Read Group Policy Results Data. Allows the user or group to determine RSoP that is currently being applied, for the purposes of verification or logging.
To grant these permissions to a user or group, follow these steps:
Start the GPMC by clicking Start, Programs or All Programs, Administrative Tools, and then Group Policy Management Console. Or type gpmc.msc at a command prompt.
Expand the entry for the forest you want to work with, and then expand the related Domains or Sites node as appropriate.
In the left pane, select the domain, site, or OU you want to work with. In the right pane, select the Delegation tab.
In the Permission list, select the permission you want to grant. The options are Link GPOs, Perform Group Policy Modeling Analyses, and Read Group Policy Results Data.
The current permissions for individual users and groups are listed. To grant the selected permission to another user or group, click Add.
In the Select User, Computer, Or Group dialog box, select the user or group and then click OK.
In the Add Group Or User dialog box (shown in Figure 2-15), specify how the permission should be applied. To apply the permission to the current container and all child containers, select This Container And All Child Containers. To apply the permission only to the current container, select This Container Only. Click OK.
The options of the Delegation tab are updated to reflect the permissions granted. If you want to remove this permission in the future, access the Delegation tab, click the user or group, and then click Remove.