How to Delegate Authority for Editing a Group Policy Object (GPO)

• Microsoft Windows 2000 Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Advanced Server

SUMMARY

Administrators can delegate the authority to create and manage Group Policy Objects (GPOs). This article describes how to accomplish this task.

MORE INFORMATION

1. Create an Organizational Unit (OU) and create a new GPO directly linked to this OU. This can be done by clicking Properties on the context menu of the OU, clicking the Group Policy tab in the Properties dialog box, and clicking the New button. Once the GPO has been created, launch the Delegation Wizard. The Delegation Wizard provides a step-by-step process in which specific functionality may be delegated easily, with a high degree of detail.



2. Directly access the security settings for the GPO itself, by clicking Properties on the context menu of the specific GPO, and clicking the Security tab. Add your non-administrator user to the list of users for whom security is defined.



3. Provide your user Full Control - Allow privilege. Full Control will provide the user the ability to write to the GPO, and also to change security permissions on the GPO. If you wish to prevent this user from setting security, you may decide to give them only the Write - Allow permission
   
   You may also decide that the user should be exempt from the application of this policy, and this may be accomplished by clearing the Apply Group Policy - Allow privilege.



4. To simplify administration for the user, launch the management console (Mmc.exe) and add the Group Policy snap-in. Browse for and add the GPO that you are configuring for delegation. Once this MMC session is appropriately configured, save the MMC session and give to the user. The user can now utilize and administer their GPO with no additional setup.

Additional query words:

Keywords : kbenv
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbhowto