Microsoft KB Archive/221577

= HOW TO: Delegate Authority for Editing a Group Policy Object (GPO) =

Article ID: 221577

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q221577





IN THIS TASK
SUMMARY
 * Delegating Authority for Editing of a Group Policy Object



SUMMARY
Administrators can delegate the authority to create and manage Group Policy Objects (GPOs). This article describes how to accomplish this task.

back to the top

Delegating Authority for Editing of a Group Policy Object

 * 1) Create an organizational unit (OU) and create a new GPO directly linked to this OU. This can be done by clicking Properties on the context menu of the OU, clicking the Group Policy tab in the Properties dialog box, and clicking the New button. Once the GPO has been created, launch the Delegation Wizard. The Delegation Wizard provides a step-by-step process in which specific functionality may be delegated easily, with a high degree of detail.

NOTE: To start the Delegation Wizard, select the OU and right-click it. Then select Delegate Control. This starts the Delegation of Control Wizard.
 * 1) Directly access the security settings for the GPO itself, by clicking Properties on the context menu of the specific GPO, and clicking the Security tab. Add your non-administrator user to the list of users for whom security is defined.
 * 2) Provide your user Full Control - Allow privilege. Full Control provides the user the ability to write to the GPO, and also to change security permissions on the GPO. If you want to prevent this user from setting security, you may decide to give them only the Write - Allow permission

You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.
 * 1) To simplify administration for the user, launch the management console (Mmc.exe) and add the Group Policy snap-in. Browse for and add the GPO that you are configuring for delegation. Once this MMC session is appropriately configured, save the MMC session and give to the user. The user can now utilize and administer their GPO with no additional setup.

back to the top

Keywords: kbenv kbhowto kbhowtomaster KB221577

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.