Group Policy Modeling Operations
The GPMC has a function
called Group Policy Modeling that allows administrators to run tests to
determine the projected outcome of GPO processing. Group Policy Modeling
allows administrators to test the outcome of applying new GPOs,
changing the status of GPOs, changing the location of a computer or user
object, or changing the group membership of a computer or users.
Group Policy Results
Group Policy
Results provides administrators with an additional tool to investigate
the history of GPO processing on a particular computer and user object.
This function requires access to the remote computer to evaluate and
summarize the logged results of historical GPO processing. Starting with
Windows Vista and Windows Server 2008 R2, the operational event logs
for Group Policy provide much of the same functionality. This tool is useful
as a troubleshooting tool to assist administrators who need to
investigate GPO processing on computers running previous version
operating systems.
GPO Administrative Delegation
GPO administrative delegation
is a process that administrators can utilize to delegate permissions to
specific users or configure security rights across all GPOs, specific
GPOs, and GPO-related tasks on specific Active Directory containers,
such as sites, domains, and organizational units.
GPO delegation or
delegation of administration within Active Directory should only be used
in organizations that have separate IT groups that manage the
infrastructure and servers and other groups that manage the desktop and
support the end user. If the IT group of an organization contains
administrators who all perform GPO and Active Directory administration,
adding a delegation model might not be necessary and can add unnecessary
complexity.
All GPO administrative
delegation tasks detailed in the following sections are performed using
the Group Policy Management Console.
Delegating GPO Creation Rights
The right to create GPOs
can only be delegated at the domain’s Group Policy Objects container and
the Starter GPOs container. After a policy is created, though, the
right to completely edit, modify security, and even delete the GPO can
be granted on a per GPO basis. To grant the right to create GPOs in a
domain, perform the following steps:
1. | Log on to a designated administrative system running Windows Server 2008 R2.
|
2. | Open the Group Policy Management Console.
|
3. | Expand the domain to expose the Group Policy Objects Container and select it.
|
4. | In the right pane, select the Delegation tab.
|
5. | Click the Add button at the bottom of the pane.
|
6. | Type in the name of the user account or security group, and click OK to apply the changes.
|
Alternately, the specific user or security group could be added as a member of the Group Policy Creator Owners security group.
Delegating GPO Management Rights on Existing GPOs
After a group policy is
created, it will inherit a base set of administrative rights to
completely edit the settings and modify the security of the policy. By
default, administrative rights are granted to the Domain Admins,
Enterprise Admins, and System objects. If the policy was created by a
separate group or user that had been granted GPO creation rights, that
object would also have these rights. If additional users or security
groups need to be granted the right to edit the settings, manage the
security, or delete a specific policy, perform the following steps:
1. | Log on to a designated administrative system running Windows Server 2008 R2.
|
2. | Open the Group Policy Management Console.
|
3. | Expand the domain to expose the Group Policy Objects Container and select it.
|
4. | Expand the Group Policy Objects container to expose the domain GPOs.
|
5. | Select the desired GPO and select the Delegation tab in the right pane.
|
6. | At the bottom of the pane, click the Add button.
|
7. | Type in the name of the specific user account or security group, and click OK.
|
8. | In
the Add Group or User window, click the Permissions drop-down list
arrow, and select the appropriate permission of Read, Edit Settings, or
Edit Settings, Delete, Modify Security, and click OK to apply the
changes.
|
Delegating GPO Administrative Tasks on Active Directory Containers
The GPMC allows administrators
to delegate the rights to manage GPO links and perform testing and
troubleshooting tasks at the site, domain, and organizational unit
container levels. To delegate GPO administrative rights over an Active
Directory container, perform the following steps:
1. | Log on to a designated administrative workstation running Windows Server 2008 R2.
|
2. | Open the Group Policy Management Console.
|
3. | Expand the Active Directory Forest container.
|
4. | Select either the Domains or Sites node and expand it.
|
5. | If
the desired domain or site is not listed, right-click the node and
select Show Domains or Show Sites and add the object as required.
|
6. | Expand the Domains or Sites node to expose the container that will have the GPO delegation rights applied to it and select it.
|
7. | In the right pane, select the Delegation tab.
|
8. | On
the Delegation tab, near the top of the pane, select the desired
permission that will be delegated from the following options:
|
9. | At the bottom of the pane, click the Add button.
|
10. | Type in the name of the specific user account or security group and click OK.
|
11. | In
the Add Group or User window, click the Permissions drop-down list
arrow, and select the appropriate permission of This Container Only or
This Container and All Child Containers, and click OK.
|
Note
Even though the right to
perform Group Policy Modeling and view results data can be delegated at a
container level, if the task is not performed on the domain controller,
the user or group will also need to be a member of the domain’s
Distributed COM Users security group.
