Administrators can delegate the authority to create and manage Group Policy Objects (GPOs). This article describes how to accomplish this task.
- Create an organizational unit (OU) and create a new GPO directly linked to this OU. This can be done by clicking Properties on the context menu of the OU, clicking the Group Policy tab in the Properties dialog box, and clicking the New button. Once the GPO has been created, launch the Delegation Wizard. The Delegation Wizard provides a step-by-step process in which specific functionality may be delegated easily, with a high degree of detail.
NOTE: To start the Delegation Wizard, select the OU and right-click it. Then select Delegate Control. This starts the Delegation of Control Wizard.
- Directly access the security settings for the GPO itself, by clicking Properties on the context menu of the specific GPO, and clicking the Security tab. Add your non-administrator user to the list of users for whom security is defined.
- Provide your user Full Control - Allow privilege. Full Control provides the user the ability to write to the GPO, and also to change security permissions on the GPO. If you want to prevent this user from setting security, you may decide to give them only the Write - Allow permission
You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.
- To simplify administration for the user, launch the management console (Mmc.exe) and add the Group Policy snap-in. Browse for and add the GPO that you are configuring for delegation. Once this MMC session is appropriately configured, save the MMC session and give to the user. The user can now utilize and administer their GPO with no additional setup.