Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2008 R2 : GPO Administrative Tasks (part 7) - GPO Administrative Delegation

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
3/9/2011 2:46:17 PM

Group Policy Modeling Operations

The GPMC has a function called Group Policy Modeling that allows administrators to run tests to determine the projected outcome of GPO processing. Group Policy Modeling allows administrators to test the outcome of applying new GPOs, changing the status of GPOs, changing the location of a computer or user object, or changing the group membership of a computer or users.

Group Policy Results

Group Policy Results provides administrators with an additional tool to investigate the history of GPO processing on a particular computer and user object. This function requires access to the remote computer to evaluate and summarize the logged results of historical GPO processing. Starting with Windows Vista and Windows Server 2008 R2, the operational event logs for Group Policy provide much of the same functionality. This tool is useful as a troubleshooting tool to assist administrators who need to investigate GPO processing on computers running previous version operating systems.

GPO Administrative Delegation

GPO administrative delegation is a process that administrators can utilize to delegate permissions to specific users or configure security rights across all GPOs, specific GPOs, and GPO-related tasks on specific Active Directory containers, such as sites, domains, and organizational units.

GPO delegation or delegation of administration within Active Directory should only be used in organizations that have separate IT groups that manage the infrastructure and servers and other groups that manage the desktop and support the end user. If the IT group of an organization contains administrators who all perform GPO and Active Directory administration, adding a delegation model might not be necessary and can add unnecessary complexity.

All GPO administrative delegation tasks detailed in the following sections are performed using the Group Policy Management Console.

Delegating GPO Creation Rights

The right to create GPOs can only be delegated at the domain’s Group Policy Objects container and the Starter GPOs container. After a policy is created, though, the right to completely edit, modify security, and even delete the GPO can be granted on a per GPO basis. To grant the right to create GPOs in a domain, perform the following steps:

1.
Log on to a designated administrative system running Windows Server 2008 R2.

2.
Open the Group Policy Management Console.

3.
Expand the domain to expose the Group Policy Objects Container and select it.

4.
In the right pane, select the Delegation tab.

5.
Click the Add button at the bottom of the pane.

6.
Type in the name of the user account or security group, and click OK to apply the changes.

Alternately, the specific user or security group could be added as a member of the Group Policy Creator Owners security group.

Delegating GPO Management Rights on Existing GPOs

After a group policy is created, it will inherit a base set of administrative rights to completely edit the settings and modify the security of the policy. By default, administrative rights are granted to the Domain Admins, Enterprise Admins, and System objects. If the policy was created by a separate group or user that had been granted GPO creation rights, that object would also have these rights. If additional users or security groups need to be granted the right to edit the settings, manage the security, or delete a specific policy, perform the following steps:

1.
Log on to a designated administrative system running Windows Server 2008 R2.

2.
Open the Group Policy Management Console.

3.
Expand the domain to expose the Group Policy Objects Container and select it.

4.
Expand the Group Policy Objects container to expose the domain GPOs.

5.
Select the desired GPO and select the Delegation tab in the right pane.

6.
At the bottom of the pane, click the Add button.

7.
Type in the name of the specific user account or security group, and click OK.

8.
In the Add Group or User window, click the Permissions drop-down list arrow, and select the appropriate permission of Read, Edit Settings, or Edit Settings, Delete, Modify Security, and click OK to apply the changes.

Delegating GPO Administrative Tasks on Active Directory Containers

The GPMC allows administrators to delegate the rights to manage GPO links and perform testing and troubleshooting tasks at the site, domain, and organizational unit container levels. To delegate GPO administrative rights over an Active Directory container, perform the following steps:

1.
Log on to a designated administrative workstation running Windows Server 2008 R2.

2.
Open the Group Policy Management Console.

3.
Expand the Active Directory Forest container.

4.
Select either the Domains or Sites node and expand it.

5.
If the desired domain or site is not listed, right-click the node and select Show Domains or Show Sites and add the object as required.

6.
Expand the Domains or Sites node to expose the container that will have the GPO delegation rights applied to it and select it.

7.
In the right pane, select the Delegation tab.

8.
On the Delegation tab, near the top of the pane, select the desired permission that will be delegated from the following options:

  • Link GPOs

  • Perform Group Policy Modeling Analyses

  • Read Group Policy Results Data

9.
At the bottom of the pane, click the Add button.

10.
Type in the name of the specific user account or security group and click OK.

11.
In the Add Group or User window, click the Permissions drop-down list arrow, and select the appropriate permission of This Container Only or This Container and All Child Containers, and click OK.

Note

Even though the right to perform Group Policy Modeling and view results data can be delegated at a container level, if the task is not performed on the domain controller, the user or group will also need to be a member of the domain’s Distributed COM Users security group.

Other -----------------
- Windows Server 2008 R2 : Designing a Group Policy Infrastructure
- Windows Server 2008 R2 : Policy Management Tools (part 3) - Event Viewer
- Windows Server 2008 R2 : Policy Management Tools (part 2)
- Windows Server 2008 R2 : Policy Management Tools (part 1) - Group Policy Management Console & Group Policy Object Editor
- Windows Server 2008 R2 : Group Policy Administrative Templates Explained
- Windows Server 2003 : Deploying DNS Servers (part 4) - Viewing and Clearing the DNS Server Cache
- Windows Server 2003 : Deploying DNS Servers (part 3) - Creating Resource Records
- Windows Server 2003 : Deploying DNS Servers (part 2) - Understanding Server Types
- Windows Server 2003 : Deploying DNS Servers (part 1) - Installing the DNS Server Service & Configuring a DNS Server
- Windows Server 2008 R2 : Elements of Group Policy (part 5)
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server