Share via

Delegating permission to group to create GPO in specific OU

Anonymous
2024-03-25T17:53:36+00:00

I would like to grant a specific group the rights to create GPO's in a single OU only. I have found references on the net to a a Create GPO right but I can't locate it anywhere. If anybody has any insight as to what rights I need to grant this group in this OU I would appreciate it.

Thanks,

Jeff

Windows for business | Windows Server | Directory services | Deploy group policy objects

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-03-26T07:10:56+00:00

    Hi Jeffrey Pascone1,

    Thank you for posting in the Microsoft Community Forum.

    To grant a specific group the rights to create Group Policy Objects (GPOs) in a single Organizational Unit (OU) only, you can use the following approach:

    1. Delegate Control: You can delegate control specifically for the OU where you want the group to create GPOs. Here's how you can do it:
      • Right-click on the OU in Active Directory Users and Computers (ADUC).
      • Select "Delegate Control" from the context menu.
      • Follow the wizard to delegate control to the specific group.
      • When prompted for permissions to delegate, select "Create, delete, and manage Group Policy objects" under "Tasks" and "This folder, existing objects in this folder, and creation of new objects in this folder" under "Permissions".
    2. Grant "Create GPO" Rights: Although there isn't a specific "Create GPO" right, you can indirectly achieve this by granting the group "Write" permissions to the "Group Policy Objects" container within the targeted OU.
      • Right-click on the OU in ADUC.
      • Select "Properties" and navigate to the "Security" tab.
      • Click "Advanced" and then "Add" to add the specific group.
      • In the "Apply to" dropdown, select "This object and all descendant objects".
      • Check the "Allow" box next to "Create Group Policy objects" under "Permissions".

    By following these steps, you are granting the specific group the ability to create GPOs within the targeted OU while restricting their ability to create GPOs in other parts of the domain. Make sure to test these settings thoroughly in a non-production environment before implementing them in your production environment. Additionally, ensure that the members of the group understand the responsibilities and limitations associated with their delegated permissions.

    Best regards

    Neuvi Jiang

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-06-06T15:05:59+00:00

    I have tried to follow these instructions without success. I cannot find such task to delegate "Create, delete, and manage Group Policy objects". I have looked under common tasks which does include group policy links management, but I see nothing to create, delete, and manage Group Policy objects

    For step 2 i also do no see a "Create Group Policy objects" under "Permissions". I do see a "Create groupPolicyContainer objects" under "Permissions"

    Please clarify these instructions as they do not seem to apply. I've tested this in both a windows 2012 DC and a 2019 DC

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-09-11T12:49:07+00:00

    GPO's are not created in OU's. They are LINKED to OU's

    Go to the Group Policy Objects folder in Group Policy Management, delegation tab. Add the group/user you want to be able to create GPO's

    Go back to ADUC, Right-click the OU and choose Delegate Control of "Manage Group Policy links" for this group/user

    3 people found this answer helpful.
    0 comments
  3. Anonymous
    2024-09-13T11:55:29+00:00

    GPO's are not created in OU's. They are LINKED to OU's

    Go to the Group Policy Objects folder in Group Policy Management, delegation tab. Add the group/user you want to be able to create GPO's

    Go back to ADUC, Right-click the OU and choose Delegate Control of "Manage Group Policy links" for this group/user

    This makes more sense...however, in your first sentence you accurately stated that GPO's are LINKED to GPO's.

    I assume in your second statement, you meant to say that you add the group/user that you want to be able to LINK GPO's to the specific OU

    Lastly, Do you happen to know exactly how to delegate permission to CREATE a GPO? I added a group to the delegation tab of the "Group Policy Objects" in Group Policy Management however, the users in this group claim the ability to create a new GPO is still not there.

    0 comments