Applies to: Group Policy Management Console on Windows Server
Question:
How can users be given permissions to manage Group Policies, without becoming a member of the "Domain Administrators" group?
Answer:
This can be done inside the Group Policy Management Console:
- Navigate to "Group Policy Objects" under the domain on the left side while in the management console.
- After clicking on "Group Policy Objects," click on the "Delegation" Tab on the right window.
- Click on "Add..." and search for a group or user within your domain and click "OK"
- That user or group will now have privileges to Create GPOs in the domain.
Now, in order for that same group or user to have permissions to
link the GPO objects to OUs or Containers, they will need to be granted the permission to do that as well. This can also be done within the Group Policy Management Console:
- Click on the OU or Container access needs to be given to, inside the window pane on the left side of the console.
- NOTE: If control needs to be given for the whole domain, click on the domain name under "Domains."
- Click on the Delegation Tab in the window pane on the right side of the console.
- Click on "Add..." and search for the user or group in the domain
- Choose the permissions for the selected user or group
- Note: If control needs to be given to just the OU or Container, choose "This Container Only." If control needs to be delegated to manage the OU in question, and all OUs within it, choose "This container and all child containers." This is the option you want to choose to give delegation rights to a user or group to link objects to any OU or Container under "Domains."
- Click "OK"
- This user or group can now link policy objects to the specified container(s) or OU(s).
The end result of doing this will be a user or group that can now create and link group policy objects to a container or OU within the organization.