A:
Delegation of Group Policy Object (GPO) management involves modifying Active Directory (AD) security on either a container object (a site, domain, or organizational unit—OU) or the GPO itself, depending upon the function you are delegating.Delegation of AD rights can often be a challenging process. In the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, Windows 2000 (Win2K) provides the Delegation of Control wizard to help manage AD rights for the purpose of
delegating administration of AD objects. But the Delegation of Control wizard is only good for setting the initial permissions on an AD object and can’t delegate administration of GPOs. If you need to modify those rights, the wizard has little value.
Delegate GPO Editing
Let’s take a look at how you can delegate the editing and linking of GPOs more directly than with the Delegation of Control wizard. First, let’s examine how you can delegate editing of GPOs. The first thing to know about GPO delegation is that it’s all about modifying the access control list (ACL) of the GPO. A GPO is composed of the Group Policy Container (GPC, which is an object in AD) and the Group Policy Template (GPT, which is a set of folders and files in SYSVOL). Thus, you need to be able to modify the permissions of these two pieces of the GPO to grant users and groups the ability to modify the GPO. Fortunately, there is a fairly easy way to modify these permissions that does not require you to directly manipulate the ACLs on each. The following step-by-step instructions walk you through changing the security on a GPO to allow a new user group (for example, GPO Admins) the ability to edit the GPO called My Delegated GPO:
1. Start the Active Directory Users and Computers (or Active Directory Sites and Services) MMC snap-in.
2. Right-click the container object (site, domain, or OU) to which the GPO you want to delegate is linked.
3. Select Properties from the context menu, then select the Group Policy tab.
4. Highlight the GPO you want to delegate, then click Properties. You will be given the choice of three tabs—General, Links, and Security. Choose the Security tab to bring up the ACL editor focused on the GPO, which Figure 5.1 shows.
Figure 5.1:Viewing the ACL editor focused on a GPO for delegation.
5. Click Add at the top of the dialog box to choose the user group to which you’re delegating editing rights on this GPO.
6. Once you’ve added the group to the ACL editor, make sure that the group name is
highlighted, then check the following permissions for that group to grant GPO editing rights: Read, Write, Create All Child Objects, and Delete All Child Objects, as Figure 5.2 shows.
Figure 5.2: Delegating GPO editing rights to the GPO Admins group.
7. You can also control who processes a GPO from the same dialog box. The combination
of Read and Apply Group Policy rights means that the groups with those two rights will always process the GPO.
There’s nothing more to delegating the editing of an existing GPO than what I’ve just described.
Delegate GPO Linking
Now lets look at how you can delegate the task of linking an existing GPO to a container object. Without the ability to link a GPO to a container object such as a site, domain, or OU, you can’t really do much with your GPOs—they won’t be processed by any computers or users within your AD infrastructure. You can use the Delegation of Control wizard to delegate the linking right, but I’m going to show you how to do delegate the linking right directly because the
Delegation of Control wizard doesn’t let you change the delegation once you’ve used the wizard to set it up initially. Once again, the delegation process for the right to link to GPOs is about modifying AD security—in this case, on the container object directly instead of on the GPO. So let’s suppose that you want to delegate the linking right to the same GPO Admins group I used earlier for the HQ OU. Thus, you want any member of the GPO Admins group to be able to link
2. Right-click the OU, choose Properties from the context menu, then select the Security tab.
3. You will now see the familiar ACL editor dialog box focused on the OU. Click Add to add the GPO Admins group as a new access control entry (ACE), and click OK to confirm the new addition.
4. With the GPO Admins group name highlighted in the top half of the ACL editor dialog box, click Advanced to bring up the Advanced ACL editor dialog box, which Figure 5.3 shows.
Figure 5.3:Viewing the Advanced ACL editor focused on an OU.
5. Again, with the GPO Admins group highlighted, click View/Edit, then select the
Properties tab.
6. You will see a long list of AD properties for this OU object that you can set permissions on. In this case, we are interested in two of those—Write gPLink and Write gPOptions. Select these two rights to grant the GPO Admins group the ability to link GPOs to this OU. (Note that the Read gPLink and Read gPOptions properties should already be selected.) Figure 5.4 shows what these selections will look like.
Figure 5.4: Viewing the rights that need to be set to delegate GPO linking. 7. Click OK through three dialog boxes to confirm the change.
Once you’ve granted these two rights, the group or user you’ve designated will have the ability to link GPOs to the container object. Why? What you did in the previous steps was grant the group called GPO Admins the ability to modify the AD properties called gPLink and gPOptions. These two properties, or attributes as they’re often called, contain the list (gPLink) of GPOs linked to the container object and options (gPOptions) that you’ve selected. A group must have the ability to write to both of these attributes to properly link a GPO.