Windows Server 2008 and Windows Vista : Advanced Group Policy Management Delegation - Full Control, Editing

1. Full Control

When a user is granted full control over all GPOs in the domain or an individual GPO that has been controlled in AGPM, that user can control every aspect of the GPO. This includes editing, viewing, and approving changes and deployment of the GPO into production. The exact list of permissions is shown in Figure 1.

Figure 1. Full control delegation in AGPM consists of many detailed permissions that give a user complete control over the GPOs in AGPM.

The benefit of this level of delegation is that users can be granted full control privileges over a single GPO in AGPM, without having any other control over other GPOs in AGPM.

To set up full control delegation in AGPM for a single GPO, follow these steps:

1.	In the GPMC, expand the forest node, and then expand the domain node.
2.	Select the Change Control node.
3.	Select the Controlled tab, located on the Contents tab in the details pane.
4.	Select the GPO for which you want to set up delegation.
5.	If the user or group is already listed as having the specified archive permissions for the selected GPO list, select the group or user for which you are setting up delegation. Then click Advanced to open the Permissions dialog box. Select the group or user name in the Group Or User Names list, and then select the Full Control check box in the Allow column.
6.	To add members, click Add, and then select the user or group in the Select User, Computer, or Group dialog box. Set up the Full Control delegation in the Add Group or User dialog box after adding the object.
7.	To remove a member, select the member, and then click Remove. When the Group Policy Management dialog box appears to confirm the deletion, click OK.

2. Editing

If you want to restrict the amount of control that a user has over a GPO in AGPM, but you still want that user to be able to make modifications to the GPO, you may want to delegate the edit privilege. This level of access in AGPM is referred to as Editor privileges. To set up Editor privileges for a group in AGPM, follow these steps:

1.	In the GPMC, expand the forest node, and then expand the domain node.
2.	Select the Change Control node.
3.	Select the Controlled tab, located on the Contents tab in the details pane.
4.	Select the GPO for which you want to set up delegation.
5.	If the user or group is already listed as having the specified archive permissions for the selected GPO list, select the group or user for which you are setting up delegation. Then click Advanced to open the Permissions dialog box. Select the group or user name in the Group or User Names list box, and then select the Editor check box in the Allow column.
6.	To add members, click Add, and then select the user or group in the Select User, Computer, or Group dialog box, setting up the Editor delegation after adding the object.
7.	To remove a member, select the member, and then click Remove.

Like many other permissions for files, folders, and other NTFS-related objects in Windows, when you select the Editor check box, the Reviewer check box is also selected. This is because it is not possible to edit a GPO in AGPM without also having Reviewer (in essence, Read) access as well, as shown in Figure 2.

Figure 2. Editor delegation in AGPM also includes the Reviewer delegation, so users can list the contents of the AGPM, as well as edit the GPOs.

The Editor permission includes:

• List Contents

• Read Settings

• Edit Settings

• Create Template

After a user has been granted the Editor permission, one or more GPOs in the AGPM environment will be available for editing. Like the full control delegation, the Editor permission can be granted either at the domain level or at the individual GPO level. If granted at the domain level, under the Domain Delegation tab, the user can edit any GPO that is brought into AGPM. To edit a GPO from within AGPM, the user must follow these steps:

1.	In the GPMC, select the Controlled tab in the details pane.
2.	Right-click the GPO that you want edit, and then click Check Out.
3.	Type an optional comment in the Comment box, and then click OK.
4.	On the Controlled tab, right-click the GPO that you just checked out, and then click Edit.
5.	Make any modification to the GPO, and then exit the GPMC.

Note

To edit a GPO from within AGPM, the user must install both the GPMC and the AGPM client to expose the Change Control node in the GPMC (the area that controls the AGPM content).