none
Ability to create GPOs, but only link them to specific OU

    Question

  • Hi guys,

    Running a 2008R2 domain.  I need to delegate the permissions to create new GPOs to a specific account, but I want that account to only be able to link them to a specific OU.  I know how to delegate the link permissions to specific OUs, but not how to delegate permissions to create GPOs without making the account a member of Group Policy Creator Owners which would give it ability to edit other GPOs.  If anyone knows a way I can delegate permissions to create new GPO(bot not edit existing GPOs), please let me know.  I was checking the User rights Assignments in the Default Domain Controllers Policy, but not seeing the ability to add a user in there.

    Dan


    Dan Heim

    Monday, September 22, 2014 6:53 PM

Answers

  • Hi Dan,   

    If you want to delegate permissions to create GPOs, you can refer to the following steps:

    1. Open Group Policy Management.

    2. In the console tree, click Group Policy Objects in the forest and domain for which you want to delegate creation rights for Group Policy objects (GPOs).

    3. In the results pane, click the Delegation

    4.Click Add.

    5. In the Select User, Computers, or Groups dialog box, click Object Types, select the types of objects to which you want to delegate creation rights for GPOs, and then click OK.

    6. Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate creation rights, and then click OK.

    7. In the Enter the object name to select box, enter name of the object to which you want to delegate creation rights by doing one of the following:

    ◦ If you know the name, type it, and then click OK.

    ◦ To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.

    Based on my test, after delegating creation of GPOs to a user by following above step, the user will not have permissions to edit the GPOs that are not created by himself.

    For more detail information about delegating creation of GPOs , you can refer to the following link:

    Delegate creation of Group Policy objects using GPMC

    http://technet.microsoft.com/en-us/library/cc739363(v=ws.10).aspx#BKMK_Addgroup

    Best Regards,

    Erin

    • Marked as answer by DaveBryan37 Tuesday, September 23, 2014 5:11 PM
    Tuesday, September 23, 2014 10:59 AM
    Moderator

All replies

  • Hi Dan,   

    If you want to delegate permissions to create GPOs, you can refer to the following steps:

    1. Open Group Policy Management.

    2. In the console tree, click Group Policy Objects in the forest and domain for which you want to delegate creation rights for Group Policy objects (GPOs).

    3. In the results pane, click the Delegation

    4.Click Add.

    5. In the Select User, Computers, or Groups dialog box, click Object Types, select the types of objects to which you want to delegate creation rights for GPOs, and then click OK.

    6. Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate creation rights, and then click OK.

    7. In the Enter the object name to select box, enter name of the object to which you want to delegate creation rights by doing one of the following:

    ◦ If you know the name, type it, and then click OK.

    ◦ To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.

    Based on my test, after delegating creation of GPOs to a user by following above step, the user will not have permissions to edit the GPOs that are not created by himself.

    For more detail information about delegating creation of GPOs , you can refer to the following link:

    Delegate creation of Group Policy objects using GPMC

    http://technet.microsoft.com/en-us/library/cc739363(v=ws.10).aspx#BKMK_Addgroup

    Best Regards,

    Erin

    • Marked as answer by DaveBryan37 Tuesday, September 23, 2014 5:11 PM
    Tuesday, September 23, 2014 10:59 AM
    Moderator
  • Hi Dan,

    You can delegate the following Group Policy tasks:

    • Creating GPOs
    • Managing individual GPOs (for example, granting Edit or Read access to a GPO)
    • Performing the following tasks on sites, domains, and OUs:

      • Managing Group Policy links for a given site, domain, or OU
      • Performing Group Policy Modeling analyses for objects in that container (not applicable for sites)
      • Reading Group Policy Results data for objects in that container (not applicable for sites)
    • Creating WMI filters
    • Managing and editing individual WMI filters

    Delegating Administration of Group Policy

    http://technet.microsoft.com/en-us/library/cc781991(v=ws.10).aspx

    *Delegating Creation of GPOs (Basically confirming what Erin said)

    Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs that they do not create.

    -Open GPMC
    -Select the 'Group Policy Objects' OU
    -Go to Delegation Tab
    -Click Add button and add the desired user\group

    The right to link GPOs is delegated separately from the right to create GPOs and the right to edit GPOs.

    *Allow user\group to Link GPO on only selective OU

    -Open GPMC
    -Select the OU
    -Go to Delegation Tab
    -Ensure Permission: 'Link GPOs' is selected
    -Click Add button and add the desired user\group

    Its your job to make sure this user is not part for any other group having full access (Ones that are listed here or are subgroup basically)

    ---------------------------------------------------------

    You might want to have a look at this as well.

    Microsoft Advanced Group Policy Management (AGPM) provides comprehensive change control, offline editing, and role-based delegation for Group Policy objects (GPOs). AGPM is available as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance.

    NOTE:- Its only available to Software Assurance customers.

    http://technet.microsoft.com/en-us/library/cc749396(v=ws.10).aspx

    http://technet.microsoft.com/en-in/windows/hh826067.aspx


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, September 23, 2014 11:32 AM
  • Thanks Erin,

    That is what I was looking for.


    Dan Heim

    Tuesday, September 23, 2014 5:11 PM