Delegating Group Policy Objects

Posted on by

A common issue which we hear about is IT Staff who manage delegated Organisational Units (OU) in the Active Directory not being able to edit Group Policy Objects (GPOs) created by other members of their team or people who have left the University.

When a GPO is created the creator (along with some other built in Security Principals are assigned rights to Edit, Settings, delete or modify security. No one else will have these rights until they are assigned them. As with nearly all cases when working with Active Directory the best way to do this is via Group membership.

Every OU we delegate has an Admin Group associated with it for example ISS OU Admin Group or and this is the one you should use. If you are not sure what yours is called each for your s-id in Active Directory and select the ‘Member of’ tab from its properties. Once you know the name of your group you can delegate your GPOs.

Steps to Delegate GPOs

1. From within the GPMC (Group Policy Management Console) Select the Delegation Tab

2. Select the Add button from the bottom of the screen.

3. Add your OU Admin Group Name and select OK.

5. Select ‘Edit settings, delete, modify security’ and select OK.

6. Now all members of your OU Admin Group can edit the GPO

This entry was posted in ActiveDirectory by James. Bookmark the permalink.

About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup) http://twitter.com/JamesAPocock

Leave a Reply

Your email address will not be published. Required fields are marked *