Delegate an individual Group Policy object using GPMC

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To delegate an individual Group Policy object

  1. Open Group Policy Management.

  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Group Policy object (GPO) for which you want to add or remove permissions.

    Where?

    Forest name/Domains/Domain name/Group Policy Objects

  3. Click the GPO.

  4. In the results pane, click the Delegation tab, and then do one of the following:

    • To delegate permissions for a group or user

    • To change permissions for a group or user

    • To remove permissions for a group or user

To delegate permissions for a group or user

  1. Click Add.

  2. In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects for which you want to add GPO permissions, and then click OK.

  3. Click Locations, select either Entire Directory or the domain or organizational unit containing the object for which you want to add GPO permissions, and then click OK.

  4. In the Enter the object name to select box, enter the name of the object for which you want to add GPO permissions by performing one of the actions in the following table.

    • If you know the name, type it, and then click OK.

    • To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.

    • In the Permissions box of the Add Group or User dialog box, select the appropriate permissions from the drop down list, and then click OK.

To change permissions for a group or user

  1. In the Groups and users list box, right-click the name of the group or user for which you want to change permissions, and then click the appropriate permission level: Read only, Edit Settings, or Edit, delete, modify security.

  2. When prompted to confirm the change in delegation permissions, click OK.

To remove permissions for a group or user

  1. In the Groups and users list box, right-click the name of the group or user for which you want to remove permissions, and then click Remove.

  2. When prompted to confirm the removal of the delegation privilege, click OK.

Notes

  • You must have Edit settings, delete, and modify security permissions on the GPO to perform these procedures.

  • Groups and users that have Custom in the Allowed Permissions column in the Groups and users list box on the Delegation tab have permissions that do not match one of the three standard levels of permissions. To view the permissions for groups with custom permissions or to set custom permissions, click Advanced. To change permissions to one of the standard levels, follow the steps above for change permissions for a group or user.

  • At least one group or user must have Edit settings, delete, and modify security permissions on each GPO. You cannot remove a group or user if it is the only group or user on a GPO that has this permission set.

  • Permissions inherited from parent containers cannot be removed.

  • You can also perform this procedure or a related task by using one or more of the sample scripts included with Group Policy Management. For more information, see "Scripting Group Policy tasks" in Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Scripting Group Policy tasks using GPMC
Delegate creation of Group Policy objects using GPMC
Delegate policy-related permissions on a domain, OU, or site using GPMC
Delegation and policy-related permissions
Start Group Policy Management Console