Active Directory delegation can be created for ADUC, DNS, DHCP, GPMC, and many more services. This guide covers the delegation of the GPMC, particularly for GPO Editors and GPO Readers.

Tim Buntrock

Tim Buntrock is one of three enterprise administrators for the Active Directory service of a "global player" in the contact center business. He is a certified engineer for MCTS, MCITP, MCSA and MCPS.

By default, only Domain Administrators and Enterprise Administrators have permission to administer GPOs for domains. For many organizations, this is enough and they don’t need to delegate tasks. If you have roles in place, such as Help Desk, Service Desk, and Server Admins, it makes sense to specify delegation levels for these roles as well. Doing so can prevent security issues and can limit the likelihood and impact of administrative errors.

In this guide, I will show you how to delegate Group Policy Management tasks to a specific AD group named GPO Editors and read GPOs for the group GPO Readers. Both groups have to be created in ADUC so that we can use these groups to delegate permissions.

Our goal is to give the GPO Editors permission to link, edit, modify the security of, and delete GPOs. They should also be able to use the Generate Resultant Set option of the Policy Planning and Logging feature.

Delegate permissions to link GPOs and use resultant set of policy for GPO Editors ^

  1. Open the ADUC Console, right-click the domain, and click Delegate Control.
  2. In the Users or Groups dialog box, click Add, type the group name GPO Editors, and click OK.
  3. In the Tasks to Delegate box, select Manage Group Policy links, Generate Resultant Set of Policy (Planning), and Generate Resultant Set of Policy (Logging).
    Group Policy delegation
  4. To complete the wizard, click Finish.­

Now you have to set permissions to edit, delete, and modify security of GPOs. You can do this with the GPMC or using PowerShell. I prefer PowerShell because with the GPMC you can only set permissions on one GPO, whereas PowerShell lets you set permissions on all GPOs. However, I will show you both ways.

Delegate GpoEditDeleteModifySecurity permissions using the GPMC ^

  1. Open the Group Policy Management Console and click a GPO.
  2. Select the Delegation tab and click Add.
  3. Type the group name and click OK.
    Ad Group or User
  4. On the next window, choose Edit settings, delete, modify security and click OK.

Delegate GpoEditDeleteModifySecurity permissions using PowerShell ^

After you start PowerShell, you have to import the Group Policy module to execute the required commands, like this:

This command sets the permission level for the GPO Editors security group to GpoEditDeleteModifySecurity for the GPO named TestGpo1:

 This command sets the permission level for the GPO Editors security group to GpoEditDeleteModifySecurity on all GPOs in the domain:

When a member of the GPO Editors group creates a GPO, that user becomes the creator owner of the GPO and can edit and modify permissions on the GPO. If this user forgets to set the permissions for the GPO Editors group, the GPO Editors won’t be able to see or modify the GPO. For this reason, I recommend creating a Scheduled Task to start a script that sets GpoEditDeleteModifySecurity permissions on all GPOs.

Create a scheduled task to run a Windows PowerShell script that sets GpoEditDeleteModifySecurity permissions for all GPO Editors ^

  1. Save the following script to C:\admin\Scripts\GPOAccess on your server that runs the task:
  1. Open the Task Scheduler on your server.
  2. Right-click Task Scheduler Library and select Create Basic Task.
    Task Scheduler
  3. Specify a Name and Description and click Next.
    Create a Basic Task
  1. Set the Trigger
    Set the Trigger Options
  1. In the Action section, select Start a Program and enter the following values:
    Start a Program
    Program/script: powershell
    Add arguments (optional): -file "C:\ admin\Scripts\GPOAccess\SetGPOEditors.ps1"
  1. In the Finish section, select Open the Properties dialog for this task when I click Finish and click Finish.
    Summary
  1. To run the task whether the user is logged on or not, select that option on the General tab, click OK, and enter the credentials.
    Set GPO Editors Permission Properties

The following paragraphs will show you what you have to do to set Read permissions on all GPOs in your domain.

Create a scheduled task to run a Windows PowerShell script that sets GPORead permissions for a security group ^

You can use this delegation to give Help Desk members permission to read all GPOs, for example, so they can troubleshoot problems caused by GPO misconfiguration.

To set GPORead permission, you can create another scheduled task, change the values such as the name and description, and replace the script with the following:

See this article to get more information about Set-GPPermissions.

You can also look at the article Get-GPPermissions to see how to get the permissions for your GPOs using PowerShell.

Win the monthly 4sysops member prize for IT pros

0
Share

Related Posts

3 Comments
  1. Howard 3 years ago

    "When a member of the GPO Editors group creates a GPO"

    I've set these permissions but it doesn't allow users of GPO Editors to create a new GPO.

    0

  2. Author
    Tim Buntrock 3 years ago

    You have to delegate this in GPMC. In GPMC go to Group Policy Objects and select Delegation tab, and add the GPO Editors Group or another group . If you also want to give this groups permissions, to link GPOs , you can do this in ADUC. Just reight-click an OU and select Delegate Control, type in the group and delegate the following common task Manage Group Policy links.

    0

  3. puffy 2 years ago

    Hi ! Is it possible for example to give permission to create / delete / modify / Link  in OU specific ?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2019

Log in with your credentials

or    

Forgot your details?

Create Account