Delegate creation of Group Policy objects

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To delegate creation of Group Policy objects

  1. Open Active Directory Users and Computers.

  2. In the console tree, click Users.

  3. In the Name column in the details pane, double-click Group Policy Creator Owners.

  4. In the Group Policy Creator Owners Properties dialog box, click the Members tab.

  5. Click Add, type the name of the user or group of users, and then click OK.

Notes

  • To complete this procedure, you must be logged on as a member of the Domain Admins group or the Enterprise Admins group.

  • To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  • By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. If the domain administrator wants a nonadministrator or a group to be able to create Group Policy objects, that user or group can be added to the Group Policy Creator Owners security group. When a user who is not an administrator, but who is a member of the Group Policy Creator Owners group, creates a Group Policy object, that user becomes the creator and owner of the Group Policy object; therefore, that user can edit the Group Policy object. Being a member of the Group Policy Creator Owners group gives the user full control of only those Group Policy objects that the user creates or those Group Policy objects that are explicitly delegated to that user. It does not give the nonadministrator user any additional rights over other Group Policy objects for the domain--these users are not granted rights over Group Policy objects that they did not create.

  • When an administrator creates a Group Policy object, the Domain Admins group becomes the Creator Owner of the Group Policy object.

  • When you delegate this task to nonadministrators, also consider delegating the ability to manage the links for a specific organizational unit. The reason for this is that, by default, nonadministrators cannot manage links, and the inability to manage links prevents them from being able to use Active Directory Users and Computers to create a Group Policy object.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Open Group Policy from Active Directory Users and Computers
Open Group Policy from Active Directory Sites and Services
Ways to open Group Policy Object Editor
Edit the local Group Policy object