HOW TO: Delegate Authority for Editing a Group Policy Object (GPO)

Article translations Article translations
Article ID: 221577 - View products that this article applies to.
This article was previously published under Q221577
Expand all | Collapse all

On This Page

SUMMARY

Administrators can delegate the authority to create and manage Group Policy Objects (GPOs). This article describes how to accomplish this task.

Delegating Authority for Editing of a Group Policy Object

  1. Create an organizational unit (OU) and create a new GPO directly linked to this OU. This can be done by clicking Properties on the context menu of the OU, clicking the Group Policy tab in the Properties dialog box, and clicking the New button. Once the GPO has been created, launch the Delegation Wizard. The Delegation Wizard provides a step-by-step process in which specific functionality may be delegated easily, with a high degree of detail.

    NOTE: To start the Delegation Wizard, select the OU and right-click it. Then select Delegate Control. This starts the Delegation of Control Wizard.
  2. Directly access the security settings for the GPO itself, by clicking Properties on the context menu of the specific GPO, and clicking the Security tab. Add your non-administrator user to the list of users for whom security is defined.
  3. Provide your user Full Control - Allow privilege. Full Control provides the user the ability to write to the GPO, and also to change security permissions on the GPO. If you want to prevent this user from setting security, you may decide to give them only the Write - Allow permission

    You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.
  4. To simplify administration for the user, launch the management console (Mmc.exe) and add the Group Policy snap-in. Browse for and add the GPO that you are configuring for delegation. Once this MMC session is appropriately configured, save the MMC session and give to the user. The user can now utilize and administer their GPO with no additional setup.

Properties

Article ID: 221577 - Last Review: October 30, 2006 - Revision: 2.1
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kbenv kbhowto kbhowtomaster KB221577

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com