Some of you are skimming over this delegation section, because you assume that anybody who ever needs access to perform these functions inside Group Policy will always have access to a Domain Admin account. While being a member of that group would indeed grant them access to do whatever they need inside Group Policy, let me tell you right now that the days of us having Domain Admin rights are almost over. The ideas of Just-In-Time (JIT) Administration and Just-Enough Administration (JEA) are gaining popularity, necessarily so because Domain Admin rights are simply too broad and powerful these days. Stolen Domain Admin credentials could certainly turn out to be detrimental to your business, as would the case of an IT professional who leaves the company on bad terms. It is common to discover environments where even senior IT administrators struggle to gain access to do the things they need on servers in their own domains, because their default permissions are being limited and they need to submit requests for specific delegation of controls in order to do their jobs.
Creating new GPOs is a task that typically falls onto AD administrators, but if you need access to this and do not have a Domain Admin account, there are two ways through which you can be granted access to create new GPOs:
- Add your account to the Active Directory security group, called Group Policy Creator Owners. This is a predefined group that exists by default in any Active Directory implementation. Adding users to this group inside ADUC automatically grants them rights to be able to generate new GPOs inside Group Policy.
- Alternatively, inside GPMC you can click on the primary Group Policy Objects folder, and then navigate to the Delegation tab. Here, you see a list of folks who have permission to create new GPOs. Domain Admins and Group Policy Creator Owners are already defined here, which explains why anyone in these groups already has the ability to create new GPOs. Rather than adding users into one of those existing groups, you could simply add their user accounts straight into the Delegation tab, as I have done in the following screenshot for the user account called Laura: