Active Directory delegation can be created for ADUC, DNS, DHCP, GPMC, and many more services. This guide covers the delegation of the GPMC, particularly for GPO Editors and GPO Readers.

By default, only Domain Administrators and Enterprise Administrators have permission to administer GPOs for domains. For many organizations, this is enough and they don’t need to delegate tasks. If you have roles in place, such as Help Desk, Service Desk, and Server Admins, it makes sense to specify delegation levels for these roles as well. Doing so can prevent security issues and can limit the likelihood and impact of administrative errors.

In this guide, I will show you how to delegate Group Policy Management tasks to a specific AD group named GPO Editors and read GPOs for the group GPO Readers. Both groups have to be created in ADUC so that we can use these groups to delegate permissions.

Our goal is to give the GPO Editors permission to link, edit, modify the security of, and delete GPOs. They should also be able to use the Generate Resultant Set option of the Policy Planning and Logging feature.

Delegate permissions to link GPOs and use resultant set of policy for GPO Editors

  1. Open the ADUC Console, right-click the domain, and click Delegate Control.
  2. In the Users or Groups dialog box, click Add, type the group name GPO Editors, and click OK.
  3. In the Tasks to Delegate box, select Manage Group Policy links, Generate Resultant Set of Policy (Planning), and Generate Resultant Set of Policy (Logging).
    Group Policy delegation
  4. To complete the wizard, click Finish.­

Now you have to set permissions to edit, delete, and modify security of GPOs. You can do this with the GPMC or using PowerShell. I prefer PowerShell because with the GPMC you can only set permissions on one GPO, whereas PowerShell lets you set permissions on all GPOs. However, I will show you both ways.

Delegate GpoEditDeleteModifySecurity permissions using the GPMC

  1. Open the Group Policy Management Console and click a GPO.
  2. Select the Delegation tab and click Add.
  3. Type the group name and click OK.
    Ad Group or User
  4. On the next window, choose Edit settings, delete, modify security and click OK.

Delegate GpoEditDeleteModifySecurity permissions using PowerShell

After you start PowerShell, you have to import the Group Policy module to execute the required commands, like this:

import-module grouppolicy

This command sets the permission level for the GPO Editors security group to GpoEditDeleteModifySecurity for the GPO named TestGpo1:

Set-GPPermissions -Name TestGPO1 -TargetName "GPO Editors" -TargetType Group PermissionLevel GpoEditDeleteModifySecurity

 This command sets the permission level for the GPO Editors security group to GpoEditDeleteModifySecurity on all GPOs in the domain:

Set-GPPermissions -All -TargetName "GPO Editors" -TargetType Group -PermissionLevel GpoEditDeleteModifySecurity

When a member of the GPO Editors group creates a GPO, that user becomes the creator owner of the GPO and can edit and modify permissions on the GPO. If this user forgets to set the permissions for the GPO Editors group, the GPO Editors won’t be able to see or modify the GPO. For this reason, I recommend creating a Scheduled Task to start a script that sets GpoEditDeleteModifySecurity permissions on all GPOs.

Create a scheduled task to run a Windows PowerShell script that sets GpoEditDeleteModifySecurity permissions for all GPO Editors

  1. Save the following script to C:\admin\Scripts\GPOAccess on your server that runs the task:
    # SetGPOEditors.ps1
    # Set GPO edit rights for the group GPO Editors on all GPOs
    import-module grouppolicy
    Set-GPPermissions -All -TargetName "GPO Editors" -TargetType Group -PermissionLevel GpoEditDeleteModifySecurity
    # Script END
  1. Open the Task Scheduler on your server.
  2. Right-click Task Scheduler Library and select Create Basic Task.
    Task Scheduler
  3. Specify a Name and Description and click Next.
    Create a Basic Task
  1. Set the Trigger
    Set the Trigger Options
  1. In the Action section, select Start a Program and enter the following values:
    Start a Program
    Program/script: powershell
    Add arguments (optional): -file "C:\ admin\Scripts\GPOAccess\SetGPOEditors.ps1"
  1. In the Finish section, select Open the Properties dialog for this task when I click Finish and click Finish.
  1. To run the task whether the user is logged on or not, select that option on the General tab, click OK, and enter the credentials.
    Set GPO Editors Permission Properties

The following paragraphs will show you what you have to do to set Read permissions on all GPOs in your domain.

Create a scheduled task to run a Windows PowerShell script that sets GPORead permissions for a security group

You can use this delegation to give Help Desk members permission to read all GPOs, for example, so they can troubleshoot problems caused by GPO misconfiguration.

To set GPORead permission, you can create another scheduled task, change the values such as the name and description, and replace the script with the following:

# SetGPOReaders.ps1
# Set GPORead rights for the group GPO Readers on all GPOs
import-module grouppolicy
Set-GPPermissions -All -TargetName "GPO Readers" -TargetType Group -PermissionLevel GpoRead
# Script END

See this article to get more information about Set-GPPermissions.

Subscribe to 4sysops newsletter!

You can also look at the article Get-GPPermissions to see how to get the permissions for your GPOs using PowerShell.

  1. Avatar
    Howard 7 years ago

    “When a member of the GPO Editors group creates a GPO”

    I’ve set these permissions but it doesn’t allow users of GPO Editors to create a new GPO.

  2. Avatar Author

    You have to delegate this in GPMC. In GPMC go to Group Policy Objects and select Delegation tab, and add the GPO Editors Group or another group . If you also want to give this groups permissions, to link GPOs , you can do this in ADUC. Just reight-click an OU and select Delegate Control, type in the group and delegate the following common task Manage Group Policy links.

  3. Avatar
    puffy 7 years ago

    Hi ! Is it possible for example to give permission to create / delete / modify / Link  in OU specific ?

  4. Avatar
    Karl Reimer 5 years ago

    Thanks for the article! I found it useful.


    There's a typo here:

    Set-GPPermissions -Name TestGPO1 -TargetName "GPO Editors" -TargetType Group PermissionLevel GpoEditDeleteModifySecurity


    "PermissionLevel" needs a dash in front of it.

  5. Avatar
    Curtiss 4 years ago

    you really can't delegate "edit all GPOs" at the domain level?  you have to run a scheduled task to delegate it to each individual GPO?

  6. Avatar
    Darren D 4 years ago

    I had the same question and it appears there is not simple way to do this.. I hoping  Microsoft add via delegation in future release.  

  7. Avatar
    Frank 1 year ago

Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account