Delegation to link GPOs

Another permission that is common to delegate is the ability to link existing GPOs. This does not grant the users access to create their own GPOs, but rather just to view existing GPOs and link them only to OUs for which they have linking access. You generally want to make sure that only trusted administrators are able to create new GPOs. This delegation allows you to retain control over the creation process, but allows the head of the Accounting department the ability to assign/link those GPOs to the groups of Accounting users or computers that they deem fit.

GPO permissions are generally set inside GPMC's Delegation tabs, but this linking permission really has more to do with OU security than it does with GPO security. As such, the tool that needs to be utilized to configure GPO Link Delegation is Active Directory Users and Computers (ADUC).

Inside ADUC, find the OU that you want to modify. Then, right-click on that OU and choose to Delegate Control...:

Walk through the Delegation of Control Wizard. You are first asked about which users or groups for whom you are delegating control, to which I input my user named Accounting Boss. Next is where we need to decide what tasks you are going to allow this user to accomplish. In order to grant the ability for Accounting Boss to link GPOs to this Accounting Computers OU, I am going to select Manage Group Policy links:

As you can see, there are many other common delegation duties that can be checked inside this wizard. This is an interesting way to divvy up permissions inside your Active Directory management tools and grant people access to specific tasks, without needing to give them Domain Admin rights.

After finishing the wizard, Accounting Boss now has permission to link GPOs to the Accounting Computers OU.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.172.220