A common issue which we hear about is IT Staff who manage delegated Organisational Units (OU) in the Active Directory not being able to edit Group Policy Objects (GPOs) created by other members of their team or people who have left the University.
When a GPO is created the creator (along with some other built in Security Principals are assigned rights to Edit, Settings, delete or modify security. No one else will have these rights until they are assigned them. As with nearly all cases when working with Active Directory the best way to do this is via Group membership.
Every OU we delegate has an Admin Group associated with it for example ISS OU Admin Group or and this is the one you should use. If you are not sure what yours is called each for your s-id in Active Directory and select the ‘Member of’ tab from its properties. Once you know the name of your group you can delegate your GPOs.
Steps to Delegate GPOs
1. From within the GPMC (Group Policy Management Console) Select the Delegation Tab
2. Select the Add button from the bottom of the screen.
3. Add your OU Admin Group Name and select OK.
5. Select ‘Edit settings, delete, modify security’ and select OK.
6. Now all members of your OU Admin Group can edit the GPO