Home  Tutorials  Active Directory

Delegation of Group Policy Full Administration (EN)

The management of group policies can be fully delegated to dedicated administrators without the need to add them as members of Domain Admins or Enterprise Admins Active Directory groups. This could be done by following this approach:


Delegate the creation of new Group Policies:


To be able to create new Group Policies, you can add the administrator(s) as member(s) of Group Policy Creator Owners group. Members of this group have the capability to create new group policies but would not be able to manage existing ones without explicitly granting the permission to do it.



Grant Modify permission on all new Group Policies:


So that your Group Policy administrator(s) would be able to modify all newly created Group Policies without the need to be the one who created them, you can update defaultSecurityDescriptor attribute for Group-Policy-Container class.


Below is how to proceed to do that:

  • Enable Schema Updates: You can do that by creating a DWORD registry entry named Schema Update Allowed under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters and setting its value to be equal to 1 on your Schema master





  • Do a right click on Group-Policy-Container class and then click on Properties



  • Add the following at the end of defaultSecurityDescriptor attribute value: (A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;SID)



Remark: "SID" is the Security Identifier of the Active Directory user or group that need to have Modify Permission on your new Group Policies. You can get it by running dsquery * -filter (sAMAccountName=value) -attr objectSID command where "value"is the sAMAccountName of the user / group.



Grant Modify permission on existing Group Policies:
Powershell script would be enough to grant Modify permission on your existing Group Policies to your administrator(s).

Below is a script that can be used:


$AllGPOs = Get-GPO -All
foreach ($GPO in $AllGPOs)
$Admin = "GPOAdmin"
Set-GPPermissions -Name $GPO.displayname.ToString() -TargetName $Admin -TargetType User -PermissionLevel GpoEditDeleteModifySecurity -Replace


Remark: You need to update $Admin variable value with the sAMAccountName of the Active Directory user or group that need to have Modify Permission on your existing Group Policies. Also, if you are adding a group, you need to update -TargetType switch to have Group as value.

Delegate the Management of Group Policy links on the domain level:

The delegation of the Management of Group Policy links could be easily done using Delegation of Control Wizard.



Delegation of Administration in Active Directory: http://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx