1. Managing GPOs
The
management of GPOs is not referred to as Management in the GPMC;
rather, it is referred to as Edit Settings, Delete, Modify Security, as
shown in the details pane in Figure 1.
This level of delegation is very powerful—a user granted this
delegation can do anything to the GPO, except create it and link it to
a node.
Management
over GPOs should be carried out with great care and consideration. If
possible, only a few users should manage each GPO. Scoping of delegation is very
important in the management of GPOs. Because each GPO is a stand-alone
object, each has its own delegation for who can manage it.
To grant the delegation to manage a GPO, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Select the GPO for which you want to set up delegation.
|
4. | Select the Delegation tab in the details pane.
|
5. | If
the user or group is already listed in the Groups Or Users list,
right-click the group or user for which you are setting up delegation,
and then click the Edit Settings, Delete, Modify Security option.
|
6. | To
add members, click Add, and then select the user or group in the Select
User, Computer, Or Group dialog box. When the Add Group or User dialog
box appears, select the Edit Settings, Delete, Modify Security option
from the Permissions list, and then click OK.
|
7. | To
remove a member, select the member, and then click Remove. When the
Group Policy Management dialog box appears to confirm the deletion,
click OK.
|
After the delegation has been performed, the user will be able to control many aspects of the GPO, including the following:
Editing the GPO by right-clicking it and using the Group Policy Management Editor
Configuring security on the GPO, specifying which user, group, or computer has the permission to apply the GPO
Note
For
a user or computer to apply the settings in a GPO, the Read and Apply
Group Policy permissions must both be set on the GPO for the target
object. Permissions can either be set explicitly for the user or
computer listed on the GPO or granted based on membership in a group
with the permission. |
Deleting
a GPO from the production environment, which removes all links to the
GPO, the Group Policy template (GPT), and the Group Policy container
(GPC) portions of the GPO
Warning
Without
AGPM, any GPOs that are deleted using the GPMC are permanently deleted.
This action can be undone only by restoring the GPO from the GPMC
backup/restore tool or by performing a restore of the GPO from the
System State. If the System State was not backed up or a manual backup
of the GPO was not performed, the GPO is not recoverable.
|
Starter
GPOs have the same delegation options as normal GPOs. The steps are the
same for establishing the delegation on Starter GPOs as they are for
normal GPOs—you just use the Delegation tab after selecting the Starter
GPO that you want to configure.
2. Editing GPOs
Editing
GPOs is another delegation that you must guard and selectively
configure in the GPMC. This delegation is performed on individual GPOs
so that control of the settings can be precisely set for each GPO.
If
you need to give a user control over just the contents of a GPO, you
should provide the editing delegation. The delegation to manage a GPO
provides too much control for a user who simply needs to make setting
changes within the GPO.
To delegate the editing of a GPO to a user, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Select the GPO for which you want to set up delegation.
|
4. | Select the Delegation tab in the details pane.
|
5. | If
the user or group is already listed in the Groups Or Users list,
right-click the group or user for whom you are setting up delegation,
and then select Edit Settings.
|
6. | To
add members, click Add, and then select the user or group in the Select
User, Computer, or Group dialog box. When the Add Group or User dialog
box appears, select the Edit Settings option from the Permissions list,
and then click OK.
|
7. | To
a remove member, select the member, and then click Remove. When the
Group Policy Management dialog box appears to confirm the deletion,
click OK.
|
The
edit delegation is targeted to only the specified GPO and tightly
controls the delegate to only the specified GPO. No additional GPO
permissions are granted to the delegate over the GPO. A user with the
delegation to edit a GPO can do so by following these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Right-click the GPO that you want to edit, and then click Edit.
|
4. | Configure your settings using the Group Policy Management Editor.
|
Warning
A
user who has been granted the manage or edit delegation over a GPO has
great power. Editing GPOs directly within the GPMC, not using AGPM,
affects the production GPOs. When a GPO setting is updated, the change
occurs immediately to the GPT and is replicated to all of the domain
controllers in the domain. A setting modification made using the GPMC
will update a target user or computer as soon as the target object
background refresh occurs. It is ideal to use AGPM, which can be easily
configured to allow changes to the GPO without those changes affecting
the production environment. |
Starter
GPOs also have the same delegation options as normal GPOs. The steps
for Starter GPOs for delegation are the same as for normal GPOs, which
are done using the Delegation tab after selecting the Starter GPO that
you want to configure.
