Delegation and policy-related permissions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

With Group Policy Management Console (GPMC), the following tasks can be delegated:

  • Create Group Policy objects (GPOs) in a domain.

  • Set permissions on a GPO.

  • Set policy-related permissions on site, domain or organizational unit.

    • Link GPOs to a given site, domain or organizational unit.

    • Perform Group Policy Modeling analyses on a given domain or organizational unit (but not on a site).

    • Read Group Policy Results data for objects in a given domain or organizational unit (but not on a site).

  • Create WMI filters in a domain.

  • Set permissions on a WMI filter.

GPMC simplifies delegation by managing the various access control entries (ACEs) required for a task as a single bundle of permission for the task. If you want to see the access control list (ACL) in detail, you can click the Advanced button on the Delegation tab.

Delegating creation of GPOs

Creating GPOs is a user right of the Group Policy Creator Owners (GPCO) group by default but can be delegated to any group or user. There are two methods to grant a group or user this right:

  • Add the user or group to membership of the Group Policy Creator Owners (GPCO) group. This was the only method available prior to GPMC.

  • Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC.

You can manage this permission using the Delegation tab on the Group Policy Objects container for a given domain in GPMC. This tab shows the groups that have permission to create GPOs in the domain, including the GPCO group. From this tab, you can modify the membership of existing groups with this permission, or add new groups.

The ability to grant users permissions to create GPOs without using GPCO was added to facilitate the delegation of GPO creation to users outside the domain. Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from outside the domain. Thus, prior to GPMC, this task could not be delegated to members outside the domain.

It is recommended that for users and groups within the domain, you continue to use the GPCO group to grant them GPO creation rights. If you require that users outside the domain have the ability to create GPOs, then create a new domain local group in the domain ("GPCO - External"), grant that group GPO creation rights in the domain, and then add external domain users to that group.

Adding a user to the membership of GPCO, or granting the user GPO creation permissions directly using the new method available in GPMC, is identical in terms of permissions. Users have the ability to create GPOs in the domain, but do not have permissions on GPOs created by other users. For example, granting a user the ability to create GPOs in the domain does not give the user the ability to edit or delete existing GPOs, or the ability to link the GPO to a site, domain or organizational unit.

For step-by-step instructions, see Delegate creation of Group Policy objects using GPMC.

Delegating an individual GPO

There are five permission options on GPOs in GPMC user interface. Each corresponds to a set of individual NT permissions. The correspondence is summarized in the following table.

Option in GPMC user interface Corresponding NT permission in ACL Editor

Read

Allow Read Access on the GPO

Edit settings

Allow Read, Write, Create Child Objects, and Delete Child Objects

Edit, delete, and modify security

Allow Read, Write, Create Child Objects, Delete Child Objects, Delete, Modify Permissions, and Modify Owner. This essentially grants full control on the GPO, except that the Apply Group Policy permission is not set.

Read (from Security Filtering)

This setting cannot be set directly, but appears on the delegation tab if the user has Read and Apply Group Policy permissions to the GPO.

Custom

Any other combination of permissions, including the use of Deny will show up as Custom in the display. GPMC can only set custom permission sets by clicking the Advanced button and opening the ACL editor.

Permissions on a GPO are managed from the Delegation tab of that GPO. For step-by-step instructions, see Delegate an individual Group Policy object using GPMC.

The ability to link GPOs to a site, domain or organizational unit is a permission that is specific to that site, domain or organizational unit. In GPMC, this permission can be managed using the Delegation tab on the site, domain or organizational unit when you click the Link GPOs option in the permission drop-down list box. At the individual permission level in Active Directory, this allows Read and Write access to the gPLink and gPOptions attributes on the site, domain, or organizational unit. By default, only Domain Administrators and Enterprise Administrators have this permission.

Group Policy Modeling allows the user to simulate the resultant set of policy for objects in a domain or organizational unit. In GPMC, this permission can be managed using the Delegation tab on the domain or organizational unit when you click the Perform Group Policy Modeling Analyses option in the permission drop-down list box. This feature is only available to Domain Administrators and Enterprise Administrators by default but can be delegated to other users or groups. At the individual permission level in Active Directory, this delegation is equivalent to granting the user or group the Generate Resultant Set of Policy (Planning) permission on the domain or organizational unit. This permission is only available in forests that have the Windows Server 2003 schema or later.

Group Policy Results allows the user to read Resultant Set of Policy logging data for objects in a domain or organizational unit. In GPMC, this permission can be managed using the Delegation tab on the domain or organizational unit when you click the Read Group Policy Results data option in the permission drop-down list box. By default, only users with local administrator rights on the target computer can remotely access Group Policy Results data. However, this right can be delegated to other users or groups. Delegation is performed on a domain or organizational unit. Users with this permission can read Group Policy Results data for any object in that container. This requires the Generate Resultant Set of Policy (Logging) permission on the domain or organizational unit. This permission is only available in forests with the Windows Server 2003 schema.

For step-by-step instructions for delegation of linking of GPOs, delegation of Group Policy Modeling analyses, and delegation of Group Policy Results, see Delegate policy-related permissions on a domain, OU, or site using GPMC.

Delegating creation of WMI filters

The ability to create WMI filters is a per-domain right. In GPMC, there are two levels of permission for creating WMI filters. Creator Owner allows the user to create new WMI Filters in the domain, but does not grant them permissions on WMI filters created by other users. Full Control allows the user to create WMI filters, and grants them full control on all WMI Filters in the domain, including new filters that are created after they are granted this right.

When a new WMI filter is created it is stored in the WMIPolicy container in the domain's System container in Active Directory Users and Computers. It is the permissions on the WMIPolicy container that govern the rights a user has to create, edit, and delete WMI Filters.

In GPMC, you can manage these permissions from the Delegation tab of the WMI Filters container in a given domain.

For step-by-step instructions, see Delegate creation of WMI filters using GPMC.

Delegating an individual WMI Filter

GPMC provides the ability to delegate rights on an individual WMI Filter. There are two levels of delegation of an individual WMI filters. Edit allows the user or group to edit the WMI Filter. Full Control allows the user or group to edit, delete, and modify security on the WMI Filter.

All users have Read access to all WMI filters through the Authenticated Users group, because it is required to allow policy processing. GPMC does not allow you to remove read permission.

These permissions are managed using the Delegation tab of a WMI filter. For step-by-step instructions, see Delegate an individual WMI filter using GPMC.

See Also

Concepts

Delegate creation of Group Policy objects using GPMC
Delegate policy-related permissions on a domain, OU, or site using GPMC
Delegate an individual Group Policy object using GPMC