1. Modeling GPOs
The
delegation to model the GPOs is useful for all IT staff members,
including the Help desk, desktop management, and even personnel
management. GPO modeling allows you to plan what the GPO settings would
be for a user or computer if the objects were to be moved to a
different organizational unit or have different settings applied to
them, such as Windows Management Instrumentation (WMI) filters,
loopback processing, site affiliation, and so on, as shown in Figure 1.
Group
Policy Modeling of GPOs does not grant the user any control over the
GPOs, just the ability to see the RSoP for users and computers that
have membership in different groups, or that will be moved to a
different organizational unit or configured with different GPO
controls.
Delegation
for modeling of GPOs is performed in the Active Directory node so that
users can see the results of the modeling only for certain Active
Directory organizational units. If users can see how GPOs are affecting
users and computers elsewhere in the organization, they might be able
to get important security or configuration information that could be
used in a malicious way.
To configure the delegation for modeling of GPOs, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Select the Active Directory node for which you want to set up delegation.
|
3. | Select the Delegation tab in the details pane.
|
4. | Ensure that the Perform Group Policy Modeling Analyses option is selected in the Permission list.
|
5. | To add members, click Add, and then select the user or group in the Select User, Computer, or Group dialog box, then click OK.
|
6. | When
the Add Group or User dialog box appears, select the scope of the
permission, either to the selected container only or to the selected
containers and child containers. Then click OK
|
7. | To
remove a member, select the member, and then click Remove. When the
Group Policy Management dialog box appears to confirm the deletion,
click OK. |
2. RSoP of GPOs
When
delegating who can view RSoP data for users and computers, it is a good
idea to include everyone who deals with management or support of GPOs.
The tool does nothing more than determine the RSoP; however, it allows
the RSoP to be seen from within the GPMC, instead of at the user’s
desktop or on a server with specific credentials.
For more information about using the Group Policy Results Wizard to see the RSoP in the GPMC, which describes the Group Policy Results Wizard and provides steps for creating an RSoP.
Granting
delegation over the RSoP allows the user to see the RSoP for a specific
location within Active Directory. Delegation of the RSoP is performed
in each Active Directory node within the GPMC. To set up delegation for
running the RSoP for a node, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Select the Active Directory node for which you want to set up delegation.
|
3. | Select the Delegation tab in the details pane.
|
4. | Ensure that the Read Group Policy Results Data option is selected in the Permission list.
|
5. | To add members, click Add, and then select the user or group in the Select User, Computer, or Group dialog box; then click OK.
|
6. | When
the Add Group or User dialog box appears, select the scope of the
permission, either to the selected container only or to the selected
containers and child containers; then click OK
|
7. | To
remove a member, select the member, and then click Remove. When the
Group Policy Management dialog box appears to confirm the deletion,
click OK.
|
