Linking GPOs to nodes in Active Directory
is not a domain centric task. This is because GPOs can be linked to
more than the domain node, which you most likely already know. GPOs can
also be linked to Active Directory sites and organizational units. With
this array of options, scoping of the delegation for linking GPOs is
important.
Because each node within Active
Directory can have unique administrators through the configuration of
administration delegation within the Active Directory Users and
Computers tool, it makes sense that the same format is followed within
the GPMC. Each node (Site, Domain, and Organizational Unit) has a
unique delegation for the list of administrators that can link a GPO to
it.
Note
Some
containers in Active Directory, such as the default Users container and
Computers container, cannot have GPOs linked to them. These containers
do not appear in the GPMC for this reason. Organizational units,
however, are containers that can support GPO links and appear in the
GPMC. |
To grant a user the delegation to link a GPO to an Active Directory node follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Select the Active Directory node for which you want to set up delegation.
|
3. | Select the Delegation tab in the details pane.
|
4. | Ensure that the Link GPOs option is selected in the Permission list.
|
5. | To add members, click Add, and then select the user or group.
|
6. | To remove a member, select the member, and then click Remove.
|
An
administrator who has been granted the delegation to link a GPO to a
node in Active Directory can link any GPO in the domain to this node.
To link an existing GPO to a site, the domain, or an organizational
unit, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Active Directory node to which you want to link the existing GPO (must be <domainname>, organizational unit, or site), and then click Link An Existing GPO.
|
3. | In
the Select GPO dialog box, shown in the following figure, select the
domain from which you want to link the GPO from the Look In This Domain
list (the default domain listed is typically the domain that you want
to use), as shown in Figure 1.
|
4. | Select the GPO, or GPOs, that you want to link from the Group Policy Objects list.
|
When
an administrator is granted the delegation to link a GPO to a node, the
GPMC is establishing nothing more than routine permissions on the node.
If you open the Properties for the node in Active Directory Users and
Computers and then view the Security tab, you will see the four
permissions configured to allow this behavior. The first two
permissions are Read gPLink and Write gPLink, located under Properties,
and the other two permissions are Read gPOptions and Write gPOptions,
configured under Properties For This Object And All Descendant Objects.
Figure 2 shows these permissions.
Warning
When
you re-deploy a GPO from AGPM, you have the option to restore the links
to the Active Directory nodes with which it was originally configured.
This is useful when a GPO is deleted and then restored, or when a GPO
is rolled back or forward to another version. This action is performed
by the AGPM service account on behalf of the AGPM administrator who has
the deploy delegations in AGPM. The links can be restored to the Active
Directory nodes even if the requesting AGPM user does not have the
delegation within GPMC to link the GPO to the nodes selected in the
deployment dialog box.
If
a user is granted the ability to link a GPO to the node, but not create
a GPO in the domain, this is the only task the user can perform in the
GPMC. However, a user who is granted both delegations has another
option available. This option combines both steps into a single step.
To create a GPO and link it to an Active Directory node in the same
action, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Right-click the Active Directory node to which you want to link the new GPO (must be <domainname>, organizational unit, or site), and then click Create A GPO In This Domain, And Link It Here.
|
3. | In the New GPO dialog box, type the name of the new GPO in the Name box.
|
4. | (Optional) Select the Starter GPO that you want to use from the Source Starter GPO list, and then click OK.
|
Note
This
method of creating a GPO and linking it to a node in Active Directory
is possible only for those who have both the Create and Link
delegations for the corresponding node where the GPO is being linked.
