Delegating a Group Policy Object to a Security Group

In this exercise, we will create a special group (GPO-Admins-ATL) to administer group policies and GPOs for one of the geographic OUs (the Atlanta OU). We will grant permission to create, link, delete, and generate GPOs.

1. First, we need to download and install the Group Policy Management Console (gpmc.msi). Download the file from = C355B04F-50CE-42C7-A401-30BE1EF647EA&displaylang = en.

2. Once installation is complete, we work from Active Directory Users and _Computers to create the necessary OU structure. Choose Start | All


Programs | Administrative Tools | Active Directory Users and Computers.

3. Create an OU structure as shown in Figure 4.11. Figure 4.11 The Atlanta OU Structure

0 £le fcttan Hiindow ttefci | -Iffl x|

• ei® i ft es- m m $ & & v ^ ©

0 Active Ci'SLtcry Users and Computet* lil Qj Saved Queries 0 Ccrp.lcccl tt-Q Biilh É-Q CcmEUtefs it--3) Dcmah ConTofers F Cl ForeiinSecLrltyPrrcDab

Q Users FT Maní E-^J New Vbrk l- j¿| ftlíanta i-(àl Sales-ATI

(£) r-VrtoahQ-flTL - 1^1 PfaductSiitttL-flTL fct ja HOUîtOfl F- «il PhoBrix tt ^ Los Angeles

Allai la SODieCti.

None | Type | Ûesrrpdcn

li£]Sales-ATL oroartsaaonalunit lï£) Msrkrbriq-ATL CrgsrizdLicnal Uït [¿I ProducïSiipport-ATL Crgariritacnal Urrfc

<1 1

4. Now create a new domain global security group for the GPO-Admins-ATL group. Right-click the Atlanta OU, then select New | Group. Create the GPO-Admins-ATL global group.

5. Click OK to finish creating the group to which the Atlanta GPOs will be delegated.

6. Right-click the newly created group, and select Properties.

7. From the Member of tab, select Add.

8. Add the Group Policy Creator Owners group as shown in Figure 4.12.

9. Click OK to complete the group membership portion of this exercise.

10. When the Group Policy Management Console is not installed, GPOs are created and administered by right-clicking the container where the policy would be applied in the Active Directory Users and Computers MMC snap-in. Right-click the Atlanta OU, and select Properties.

11. From the Atlanta Properties dialog box, select the Group Policy tab, as shown in Figure 4.13.

Figure 4.12 Adding the New Group to the Group Policy Creator Owners Group

Multiple Names Found


More than one object matched the name "g". Select one or more names from

this fist, or, reenter the name.

Matching names:

Name (RDN) | Description

In Folder




Group Policy Creator Owners M embers in this group can modi..

Corp. local/Users


ffj Guests


1 CK 1

Cancel |

Figure 4.13 The Group Policy Tab; Group Policy Management Console Installed

General j Manned By | COM- Grcup Pokey ]

You have hí+allsd the Group Policy Management snap-n, .0 the tab is .ne longer used

T o cpert 0 roup Folic}1 Management dek 0 pen

OX_I Cancel I

12. Click Open to open the Group Policy Management Console.

13. Click the OU that you want to delegate Group Policy to, and select Delegation in the right pane.

14. Click Add on the right pane, and add the GPO-Admins-ATL global group that you created earlier in this exercise, as shown in Figure 4.14.


Figure 4.14 Adding Delegation Permissions to the GPO-Admins-ATL Global Group

Add Group or User

Group or user name:

J CO R P\G PO -Admins-AT L

Browse... |


1 This container and all child containers

|j OK ||


From the Permission drop-down box in the right pane, add the GPO-Admins-ATL global group to the other permissions, as shown in Figure 4.15.

Figure 4.15 Adding the Remaining Permissions for Complete Delegation

Figure 4.15 Adding the Remaining Permissions for Complete Delegation

Close the Group Policy Management MMC to complete the delegation of control. Members of the GPO-Admins-ATL global group now have permissions to create GPOs, link them to the Atlanta OU or OUs contained within the Atlanta OU, perform Group Policy modeling analyses, and read Group Policy results data.

Was this article helpful?

0 0

Post a comment