Delegating Privileges for Group Policy Management

In Active Directory, administrators are automatically granted permissions for performing different Group Policy management tasks. Other individuals can be granted such permissions through delegation. In Active Directory, you delegate Group Policy management permissions for very specific reasons. You delegate permissions to allow a user who is not a member of Enterprise Admins or Domain Admins to perform any or all of the following tasks:

  • View settings, change settings, delete a GPO, and modify security

  • Manage links to existing GPOs or generate RSoP

  • Create GPOs (and therefore also be able to manage any GPOs she has created)

Any privileges you delegate in this way are outside the change controls provided ...

Get Windows® Group Policy Administrators Pocket Consultant now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.