Delegate policy-related permissions on a domain, OU, or site using GPMC

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To delegate permissions to link Group Policy objects

  1. Open Group Policy Management.

  2. In the console tree, do one of the following:

    • To delegate permission to link Group Policy objects (GPOs) to either the domain or an organizational unit, click the domain or the organizational unit (console tree location is: Forest name/Domains/Domain name/Organizational unit).

    • To delegate permission to link GPOs to a site, click the site (console tree location is: Forest name/Sites/Site name).

  3. In the results pane, click the Delegation tab.

  4. In the Permission drop down list box, select Link GPOs, and then specify permissions to link GPOs for a group or user by doing one of the following:

    • To add a new group or user to the permissions list for domains and organizational units

    • To add a new group or user to the permissionslist for sites

    • To change the inheritance of permissions on a domain or organizational unit for a group or user

    • To remove a group or user from the permissions list

    • To delegate permissions for generating Group Policy Modeling data

    • To delegate permissions to read Group Policy Results data

To add a new group or user to the permissions list for domains and organizational units

  1. On the Delegation tab, click Add.

  2. In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or organizational unit, and then click OK.

  3. Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate permissions, and then click OK.

  4. In the Enter the object name to select box, enter name of the object to which you want to delegate permissions by doing one of the following:

    • If you know the name, type it, and then click OK.

    • To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.

  5. In the Add Group or User dialog box, in the Permissions drop down list box, select the level to which you want permissions to apply for this group or user, and then click OK.

To add a new group or user to the permissions list for sites

  1. On the Delegation tab, click Add.

  2. In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or organizational unit, and then click OK.

  3. Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate permissions, and then click OK.

  4. In the Enter the object name to select box, enter name of the object to which you want to delegate permissions by doing one of the following:

    • If you know the name, type it, and then click OK.

    • To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.

To change the inheritance of permissions on a domain or organizational unit for a group or user
  • On the Delegation tab of the domain or organizational user, in the Groups and users list box, right-click the name of the group or user, and then click This container only or This container and children to specify the level to which you want permissions to apply for this group or user.
To remove a group or user from the permissions list

  1. On the Delegation tab, in the Groups and users list box, select the name of the group or user to be removed, and then click Remove.

  2. When prompted to confirm the removal, click OK.

Notes

  • To delegate permissions to Link GPOs to a site, domain or organizational unit, you must have Modify Permissions on that site, domain or organizational unit. By default, only Domain Administrators, Enterprise Administrators, have this permission.

  • Users and groups with permission to link GPOs to a specific site, domain, or organizational unit can link GPOs, change link order, and set block inheritance on that site, domain, or organizational unit.

  • You cannot remove groups and users that inherit permissions from a parent container.

  • Some entries in the Groups and users list box, such as System, do not have an associated property dialog box, so Properties is unavailable for these entries.

To delegate permissions for generating Group Policy Modeling data

  1. Open Group Policy Management.

  2. In the console tree, click the domain or organizational unit for which you want to delegate Group Policy Modeling permissions.

    Where?

    • Forest name/Domains/Domain name/Organizational unit (if applicable)

  3. In the results pane, click the Delegation tab.

  4. In the Permission box, select Perform Group Policy Modeling analyses, and then do one of the following:

    To add a new group or user to the permissions list
    1. On the Delegation tab, click Add.

    2. In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or organizational unit, and then click OK.

    3. Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate permissions, and then click OK.

    4. In the Enter the object name to select box, enter name of the object to which you want to delegate permissions by doing one of the following:

      • If you know the name, type it, and then click OK.

      • To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.

      • In the Add Group or User dialog box, in the Permissions drop down list box, select the level to which you want permissions to apply for this group or user, and then click OK.

    To change the inheritance for a group or user in the permissions list

    On the Delegation tab, in the Groups and users list box, right-click the name of the group or user, and then click This container only or This container and children to specify the level to which you want permissions to apply for this group or user.

    To remove a group or user from the permissions list
    1. On the Delegation tab, in the Groups and users list box, select the name of the group or user to be removed, and then click Remove.

    2. When prompted to confirm the removal, click OK.

Notes

  • To delegate permissions to perform Group Policy Modeling analyses for objects in a domain or organizational unit, you must have Modify Permissions on that domain or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this permission.

  • You cannot delegate permission to perform Group Policy Modeling analyses for sites.

  • In earlier versions of Group Policy, Group Policy Modeling was referred to as Resultant Set of Policy (RSoP) planning mode.

To delegate permissions to read Group Policy Results data

  1. Open Group Policy Management.

  2. In the console tree, click the domain or organizational unit for which you want to delegate permission to read Group Policy Results data.

    Where?

    • Group Policy Management Console/Forest name/Domains/Domain name/Organizational unit (if applicable)

  3. In the results pane, click the Delegation tab.

  4. In the Permissions dropdown list, select Read Group Policy Results data, and then do one of the following:

    To add a new group or user to the permissions list
    1. On the Delegation tab, click Add.

    2. In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or organizational unit, and then click OK.

    3. Select the user or group to who permission should be delegated.

    4. In the Add Group or User dialog box, in the Permissions drop down list box, select the level to which you want permissions to apply for this group or user, and then click OK.

    To change inheritance for a group or user in the permissions list

    On the Delegation tab, in the Groups and users list box, right-click the name of the group or user, and then click This container only or This container and children to specify the level to which you want permissions to apply for this group or user.

    To remove a group or user from the permissions list
    1. On the Delegation tab, in the Groups and users list box, select the name of the group or user to be removed, and then click Remove.

    2. When prompted to confirm the removal, click OK.

Notes

  • To delegate permissions to read Group Policy Results data for objects in a domain or organizational unit, you must have Modify Permissions on that domain or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this permission.

  • You cannot delegate permission to read Group Policy Results data for sites.

  • In earlier versions of Group Policy, Group Policy Results was referred to as Resultant Set of Policy (RSoP) logging mode.

See Also

Concepts

Link a Group Policy object using GPMC
Delegation and policy-related permissions
Scripting Group Policy tasks using GPMC
Security settings overview for GPMC
Security filtering using GPMC
Filter using security groups
Simulate Resultant Set of Policy using Group Policy Modeling
Determine Resultant Set of Policy with Group Policy Results
Start Group Policy Management Console