Delegate creation of Group Policy objects using GPMC

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To delegate creation of Group Policy objects

  1. Open Group Policy Management.

  2. In the console tree, click Group Policy Objects in the forest and domain for which you want to delegate creation rights for Group Policy objects (GPOs).

    Where?

    • Forest name/Domains/Domain name/Group Policy Objects
  3. In the results pane, click the Delegation tab, and then do one of the following.

    • To add a new group or user, using the Group Policy Creator Owners group

    • To add a new group or user to have the same permissions as the Group Policy Creator Owners Group

    • To remove creation rights from a group or user

To add a new group or user, using the Group Policy Creator Owners group
  1. In the Groups and Users list box, double-click Group Policy Creator Owners.

  2. In the Group Policy Creator Owners properties dialog box, select the Members tab, and click Add.

  3. In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects for which you want to delegate creation rights, and then click OK.

  4. Click Locations, select either Entire Directory or the domain or organizational unit containing the object for which you want to delegate creation rights, and then click OK.

  5. In the Enter the object name to select box, enter the name of the object to which you want to delegate creation rights by doing one of the following:

    • If you know the name, type it, and then click OK.

    • To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.

To add a new group or user to have the same permissions as the Group Policy Creator Owners group
  1. Click Add.

  2. In the Select User, Computers, or Groups dialog box, click Object Types, select the types of objects to which you want to delegate creation rights for GPOs, and then click OK.

  3. Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate creation rights, and then click OK.

  4. In the Enter the object name to select box, enter name of the object to which you want to delegate creation rights by doing one of the following:

    • If you know the name, type it, and then click OK.

    • To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.

To remove creation rights from a group or user
  1. Do one of the following:

    • To remove a name from the Groups and users list box, delete the name of the group or user, and then click Remove.

    • To remove a member of Group Policy Creator Owners group, double-click Group Policy Creator Owners, click the Members property tab, select the name to be removed, and then click Remove.

  2. When prompted to confirm the removal of the delegation privilege, click Yes, and then click OK.

Notes

  • You must be a member of the Domain Administrators or Enterprise Administrators to complete this procedure.

  • You can also remove a group or user from the permissions list by right-clicking the name of the group or user in the Groups and users list box on the Delegation tab, and then clicking Remove.

  • If you want to delegate permissions to groups and users in the same domain as the GPOs, it is recommended that you add them to the Group Policy Creator Owners group since this is the original method that was available in Windows 2000. However, you cannot add groups or users from another domain to the Group Policy Creator Owners group.

  • To delegate GPO creation permissions to groups or users in another domain, you must explicitly grant that group GPO creation permissions (without using Group Policy Creator Owners group). Alternatively you can create a domain local group in the domain where you want to delegate GPO creation permission and grant that group permission to create GPOs. Then add members to this domain local group from other domains as needed.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Scripting Group Policy tasks using GPMC
Delegate policy-related permissions on a domain, OU, or site using GPMC
Delegation and policy-related permissions
Start Group Policy Management Console
Delegate an individual Group Policy object using GPMC