Home 
Tutorials
Active Directory 
Delegation of Group Policy Full Administration (EN) |
The management of group
policies can be fully delegated to dedicated administrators without the
need to add them as members of Domain Admins or Enterprise Admins Active
Directory groups. This could be done by following this approach:
Delegate the creation of new Group Policies:
To be able to create new Group Policies, you can add
the administrator(s) as member(s) of Group Policy Creator Owners group. Members of
this group have the capability to create new group policies but would not be
able to manage existing ones without explicitly granting the permission to do
it.
|

|
Grant Modify permission on all new Group Policies:
So that your Group Policy administrator(s) would be able to modify all
newly created Group Policies without the need to be the one who created them,
you can update defaultSecurityDescriptor attribute for Group-Policy-Container
class.
Below is how to proceed to do that:
|

|
|

|
|

|
|

|
Remark: "SID" is the
Security Identifier of the Active Directory user or group that need to have
Modify Permission on your new Group Policies. You can get it by running dsquery *
-filter (sAMAccountName=value) -attr objectSID command
where "value"is the sAMAccountName of the user / group.
|

|
Grant Modify permission on existing Group Policies:
A Powershell
script would be enough to grant Modify permission on your existing Group
Policies to your administrator(s).
Below is a script that can be used:
|
$AllGPOs = Get-GPO -All
foreach ($GPO in $AllGPOs)
$Admin = "GPOAdmin"
{
Set-GPPermissions -Name $GPO.displayname.ToString() -TargetName $Admin
-TargetType User -PermissionLevel GpoEditDeleteModifySecurity -Replace
}
|
|
|
Remark: You need to
update $Admin variable value with the sAMAccountName of the Active
Directory user or group that need to have Modify Permission on your existing
Group Policies. Also, if you are adding a group, you need to update
-TargetType switch to have Group as value.
Delegate the Management of Group Policy links
on the domain level:
The delegation of the Management of Group Policy links could be
easily done using Delegation of Control Wizard.
|

|
Delegation of
Administration in Active Directory: http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx
|
|
About Tunit
Tunit helps you plan your Microsoft systems integration and administration.
Certainly, having a good Management of your IT systems improve your Business performance while it can, when it is poorly managed, obstruct the responsiveness and efficiency of your organization. We are here to help you so do not hesitate to follow us.
View more
TUNIT © 2011 - MALEK Ahmed