Delegation to edit GPOs

By default, only Domain Admins, Enterprise Admins, or the original GPO creator have access to modify a GPO. Sometimes, you may discover a need to have a junior-level administrator make some tweaks inside a GPO, but perhaps that admin does not have one of these permission levels inside Active Directory. The Delegation tab inside each GPO can be used to enter some additional edit permissions, giving a non-admin or even a group of people the access they need in order to modify a GPO that has already been created.

You can see in the following screenshot that I have opened the Delegation tab of my Accounting Control Panel Settings GPO, where I can view the current permissions for this particular GPO. Using the Add... button, I am able to specify my Junior AD Admins group, and give them permissions from this drop-down menu:

I have chosen to give this group Edit settings permissions on my GPO. This will allow anyone who is a member of the Junior AD Admins group to change settings inside the GPO, but will continue restricting them from being able to delete the GPO or modify security settings related to this GPO.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.3.236