Sunday, August 21, 2011

Tips: How to assign Delegate Control to users or group to work with GPOs or domain

By granting any one of these three specific permissions, you can let a non-administrative user or a group (including users and groups from other domains) to work with a domain, site, or OU GPO.

Read Allows the user or group to view the GPO and its settings.
Edit Settings Allows the user or group to view the GPO and its settings and also change settings. The user or group cannot delete the GPO or modify security.
Edit Settings, Delete, Modify Security Allows the user or group to view the GPO and its settings and also change settings, delete the GPO, and modify security.

Follow these steps to grant these permissions to a user or a group:-
1.    In the GPMC, it’s required to expand the entry for the forest you wish to work with and then expand the related Domains node.
2.    Then, expand the node for the domain you wish to work with.
3.    If you’re not able to view the domain you wish to work with, you can right-click Domains and then click Show Domains.
4.    Then, you can select the domains you wish to display.
5.    After that, select the Group Policy Objects node and select the GPO you wish to work with in the left pane.


6.    Then, select the Delegation tab on the right pane.
7.    Now, the current permissions for individuals users and groups will be listed.
8.    It is required to click Add to grant the permission to another user or group.
9.    In the Select User, Computer, Or Group dialog box, select the user or group and then click OK.
10.    After that, in the Add Group Or User dialog box, select the permission to grant: Read; Edit Settings; or Edit Settings, Delete, Modify Security.
11.    Click OK. That’s it.!!
The list of users and groups on the Delegation tab is updated as per the granted permission. Therefore, if you wish to remove this permission in the future, you can select the user or group and click Remove after displaying the Delegation tab.
B  y ,