Delegate Permissions for a Group or User on a Group Policy Object

Applies To: Windows 8, Windows Server 2008 R2, Windows Server 2012

To delegate permissions for a group or user on a Group Policy object

  1. In the Group Policy Management Console (GPMC) console tree, expand the Group Policy Objects node in the forest and domain containing the Group Policy object (GPO) for which you want to add or remove permissions.

  2. Click the GPO.

  3. In the results pane, click the Delegation tab.

  4. Click Add .

  5. In the Select User, Computer, or Group dialog box, click Object Types , select the types of objects for which you want to add GPO permissions, and then click OK .

  6. Click Locations , select either Entire Directory or the domain or organizational unit containing the object for which you want to add GPO permissions, and then click OK .

  7. In the Enter the object name to select box, type the name of the object for which you want to add GPO permissions by performing one of the following actions:

    • If you know the name, type it and then click OK .

    • To search for the name, click Advanced , type the search criteria, click Find Now , select the name in the list box, click OK , and then click OK again.

    • In the Permissions box of the Add Group or User dialog box, select the appropriate permissions from the drop-down list, and then click OK .

Additional considerations

  • To perform this procedure, you must have Edit settings, delete, and modify security permissions on the GPO.

  • Groups and users that have Custom in the Allowed Permissions column in the Groups and users list box on the Delegation tab have permissions that do not match one of the three standard levels of permissions. To view the permissions for groups with custom permissions or to set custom permissions, click Advanced .

  • You can also click the Delegation tab to change or remove permissions for a group or user on a GPO.

Additional references