Tuesday, August 23, 2011

Tips: How to assign GPO Creation Rights to administrative and non-administrative users

In Active Directory, it is default that the administrators are granted permission to perform the different Group Policy management tasks. However, even other individuals can be granted the permissions through delegation. Follow the steps.

How to assign GPO Creation Rights: Administrators

If you’re an administrator of Active Directory, you’ll have the ability to create GPOs in domains and anyone who has created a GPO in a domain will have the rights to manage that GPO. You can follow the following steps to determine who can create GPOs in a domain.
1.    In the GPMC, it is required to expand the entry for the forest you wish to work with and then expand the related Domains node.
2.    After that , it is required to expand the node for the domain you wish to work with. If you don’t see the domain you want to work with, right-click Domains and then click Show Domains. You can then select the domains you want to display.
3.    Then, select the Group Policy Objects node.
4.    Now, the users and groups who can create GPOs in the selected domain will be listed on the Delegation tab.


How to assign GPO Creation Rights: Non-Administrative Users
You can allow even a non-administrative user or a group group (including users and groups from other domains) to create GPOs (and thus implicitly grant them the ability to manage the GPOs they’ve created). Follow the following steps to grant GPO creation permission to a user or group.
1.    In the GPMC, it is required to expand the entry for the forest you wish to work with and then expand the related Domains node.
2.    After that, expand the node for the domain you wish to work with. If you don’t see the domain you want to work with, right-click Domains and then click Show Domains.
3.    Then, you can then select the domains you want to display.
4.    Now, it is required to select the Group Policy Objects node.
5.    Then, select the Delegation tab on the right pane.
6.    The current GPO creation permissions for individual users and groups are listed.
7.    To grant the GPO creation permission to another user or group, click Add.
8.    In the Select User, Computer, Or Group dialog box, select the user or group you want to grant permissions.
9.    Then, click OK.
10.    By accessing the Delegation tab, you can remove the GPO creation permission.
11.    Click the user or group to select.
12.    Then, select Remove to remove the permissions for the selected user or group.
B  y ,