Set up Group Policy delegation

• Author
• Recent Posts

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

Latest posts by Tim Buntrock (see all)

• Create a self-signed certificate with PowerShell - Thu, Aug 9 2018
• Prevent copying of an Active Directory attribute when duplicating a user account - Thu, Mar 29 2018
• Find and delete unlinked (orphaned) GPOs with PowerShell - Thu, Mar 15 2018

By default, only Domain Administrators and Enterprise Administrators have permission to administer GPOs for domains. For many organizations, this is enough and they don’t need to delegate tasks. If you have roles in place, such as Help Desk, Service Desk, and Server Admins, it makes sense to specify delegation levels for these roles as well. Doing so can prevent security issues and can limit the likelihood and impact of administrative errors.

In this guide, I will show you how to delegate Group Policy Management tasks to a specific AD group named GPO Editors and read GPOs for the group GPO Readers. Both groups have to be created in ADUC so that we can use these groups to delegate permissions.

Our goal is to give the GPO Editors permission to link, edit, modify the security of, and delete GPOs. They should also be able to use the Generate Resultant Set option of the Policy Planning and Logging feature.

Delegate permissions to link GPOs and use resultant set of policy for GPO Editors

1. Open the ADUC Console, right-click the domain, and click Delegate Control.
2. In the Users or Groups dialog box, click Add, type the group name GPO Editors, and click OK.
3. In the Tasks to Delegate box, select Manage Group Policy links, Generate Resultant Set of Policy (Planning), and Generate Resultant Set of Policy (Logging).
   
4. To complete the wizard, click Finish.­

Now you have to set permissions to edit, delete, and modify security of GPOs. You can do this with the GPMC or using PowerShell. I prefer PowerShell because with the GPMC you can only set permissions on one GPO, whereas PowerShell lets you set permissions on all GPOs. However, I will show you both ways.

Delegate GpoEditDeleteModifySecurity permissions using the GPMC

1. Open the Group Policy Management Console and click a GPO.
2. Select the Delegation tab and click Add.
3. Type the group name and click OK.
   
4. On the next window, choose Edit settings, delete, modify security and click OK.

Delegate GpoEditDeleteModifySecurity permissions using PowerShell

After you start PowerShell, you have to import the Group Policy module to execute the required commands, like this:

import-module grouppolicy

This command sets the permission level for the GPO Editors security group to GpoEditDeleteModifySecurity for the GPO named TestGpo1:

Set-GPPermissions -Name TestGPO1 -TargetName "GPO Editors" -TargetType Group PermissionLevel GpoEditDeleteModifySecurity

 This command sets the permission level for the GPO Editors security group to GpoEditDeleteModifySecurity on all GPOs in the domain:

Set-GPPermissions -All -TargetName "GPO Editors" -TargetType Group -PermissionLevel GpoEditDeleteModifySecurity

When a member of the GPO Editors group creates a GPO, that user becomes the creator owner of the GPO and can edit and modify permissions on the GPO. If this user forgets to set the permissions for the GPO Editors group, the GPO Editors won’t be able to see or modify the GPO. For this reason, I recommend creating a Scheduled Task to start a script that sets GpoEditDeleteModifySecurity permissions on all GPOs.

Create a scheduled task to run a Windows PowerShell script that sets GpoEditDeleteModifySecurity permissions for all GPO Editors

1. Save the following script to C:\admin\Scripts\GPOAccess on your server that runs the task:

   # SetGPOEditors.ps1
   # Set GPO edit rights for the group GPO Editors on all GPOs
   import-module grouppolicy
   Set-GPPermissions -All -TargetName "GPO Editors" -TargetType Group -PermissionLevel GpoEditDeleteModifySecurity
   # Script END

2. Open the Task Scheduler on your server.
3. Right-click Task Scheduler Library and select Create Basic Task.
   
4. Specify a Name and Description and click Next.
   

5. Set the Trigger
   

6. In the Action section, select Start a Program and enter the following values:
   
   Program/script: powershell
   Add arguments (optional): -file "C:\ admin\Scripts\GPOAccess\SetGPOEditors.ps1"

7. In the Finish section, select Open the Properties dialog for this task when I click Finish and click Finish.
   

8. To run the task whether the user is logged on or not, select that option on the General tab, click OK, and enter the credentials.
   

The following paragraphs will show you what you have to do to set Read permissions on all GPOs in your domain.

Create a scheduled task to run a Windows PowerShell script that sets GPORead permissions for a security group

You can use this delegation to give Help Desk members permission to read all GPOs, for example, so they can troubleshoot problems caused by GPO misconfiguration.

To set GPORead permission, you can create another scheduled task, change the values such as the name and description, and replace the script with the following:

# SetGPOReaders.ps1
# Set GPORead rights for the group GPO Readers on all GPOs
import-module grouppolicy
Set-GPPermissions -All -TargetName "GPO Readers" -TargetType Group -PermissionLevel GpoRead
# Script END

See this article to get more information about Set-GPPermissions.

You can also look at the article Get-GPPermissions to see how to get the permissions for your GPOs using PowerShell.