Home

Tutorials

Active Directory

Delegation of Group Policy Full Administration (EN)

The management of group policies can be fully delegated to dedicated administrators without the need to add them as members of Domain Admins or Enterprise Admins Active Directory groups. This could be done by following this approach:

Delegate the creation of new Group Policies:

To be able to create new Group Policies, you can add the administrator(s) as member(s) of Group Policy Creator Owners group. Members of this group have the capability to create new group policies but would not be able to manage existing ones without explicitly granting the permission to do it.

Grant Modify permission on all new Group Policies:

So that your Group Policy administrator(s) would be able to modify all newly created Group Policies without the need to be the one who created them, you can update defaultSecurityDescriptor attribute for Group-Policy-Container class.

Below is how to proceed to do that:

Enable Schema Updates: You can do that by creating a DWORD registry entry named Schema Update Allowed under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters and setting its value to be equal to 1 on your Schema master

Use ADSI Edit administrative tool and connect to Schema Naming Context

Do a right click on Group-Policy-Container class and then click on Properties

Add the following at the end of defaultSecurityDescriptor attribute value: (A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;SID)

Remark: "SID" is the Security Identifier of the Active Directory user or group that need to have Modify Permission on your new Group Policies. You can get it by running dsquery * -filter (sAMAccountName=value) -attr objectSID command where "value"is the sAMAccountName of the user / group.

Grant Modify permission on existing Group Policies:
A Powershell script would be enough to grant Modify permission on your existing Group Policies to your administrator(s).

Below is a script that can be used:

$AllGPOs = Get-GPO -All
foreach ($GPO in $AllGPOs)
$Admin = "GPOAdmin"
{
Set-GPPermissions -Name $GPO.displayname.ToString() -TargetName $Admin -TargetType User -PermissionLevel GpoEditDeleteModifySecurity -Replace
}

Remark: You need to update $Admin variable value with the sAMAccountName of the Active Directory user or group that need to have Modify Permission on your existing Group Policies. Also, if you are adding a group, you need to update -TargetType switch to have Group as value.

Delegate the Management of Group Policy links on the domain level:

The delegation of the Management of Group Policy links could be easily done using Delegation of Control Wizard.

Delegation of Administration in Active Directory: http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx

The latest tutorials

23/03/2019 How to identify active hosts in your networks and perform horizontal TCP port scans

06/03/2019 Stop perfecting your Active Directory Domain Services Password / Lockout Policies – It is time to invest on Multi-Factor Authentication and Compensating Controls

09/02/2019 An Effective Approach to Protect Administrative Accesses to Your Datacenters and Cloud Resources

17/01/2019 How to create a Lag Site for your Active Directory Domain Services setup

About Tunit

Tunit helps you plan your Microsoft systems integration and administration.

Certainly, having a good Management of your IT systems improve your Business performance while it can, when it is poorly managed, obstruct the responsiveness and efficiency of your organization. We are here to help you so do not hesitate to follow us.

View more