The ability to create a GPO is controlled
at the domain level. This makes sense, because all GPOs are domain
centric and specific. The actual configuration of who can create a GPO
is not implemented at the domain node in the GPMC, although it is a
domain scope that is being considered.
Delegation of GPO creation in the domain is performed at the Group Policy Objects node in the GPMC, as shown in Figure 1.
To delegate who can create GPOs for the domain, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Select the Group Policy Objects node.
|
3. | Select the Delegation tab in the details pane.
|
4. | To add members, click Add, and then select the user or group in the Select User, Computer, or Group dialog box.
|
5. | To remove a member, select the member, and then click Remove. A Group Policy Management dialog box appears. Click OK.
|
The
delegated privilege of creating a GPO in the domain gives the
corresponding administrator some power. To create a GPO in the domain,
follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Group Policy Objects node, and then click New.
|
3. | In the New GPO dialog box, type a name for the new GPO in the Name box.
|
4. | (Optional) Select a starter GPO from the Source Starter GPO list, as shown in Figure 2.
|
Although
Starter GPOs are not production GPOs, there are delegations that
control their creation, too. In a similar fashion to creating GPOs for
the production domain, you will need to configure the groups that can
create Starter GPOs for the domain. To delegate who can create Starter
GPOs, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Select the Starter GPOs node.
|
3. | Select the Delegation tab in the details pane.
|
4. | To add members, click Add, and then select the user or group in the Select User, Computer, or Group dialog box.
|
5. | To remove a member, select the member, and then click Remove. A Group Policy Management dialog box appears. Click OK.
|
After Starter GPOs are created in the domain, new GPOs in production can be created from them, as shown in Figure 3.
Settings
configured in the Starter GPO are used to create a baseline of settings
in the new GPO when it is created. To create a new GPO using a Starter
GPO, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Group Policy Objects node, and then click New.
|
3. | In the New GPO dialog box, select the Starter GPO you want to use from the Source Starter GPO list.
|
4. | Type the name for the new GPO in the Name box, and then click OK.
|
Note
Creation
of a GPO does not include the ability to link the GPO. A user with the
delegation to create GPOs in the domain can only create them from the
Group Policy Objects node in the GPMC. |
Note
that new GPOs that do not use Starter GPOs are empty—they contain no
configurations. Of course, if a new GPO uses a Starter GPO as the
template for settings, those settings will be set in the new GPO.
Warning
The
security delegations set on Starter GPOs are not copied to new GPOs
created from them. The default security on new GPOs is set, regardless
of whether a Starter was used. |
