Hi, my name is Avril Salter and welcome to this short clip. What we are going to be talking about today is how to delegate responsibility for administering your Group Policy Objects. To set your administrative rights for Group Policies we are going to do that through our Group Policy Management console. To open that we will go into Administrative Tools and here open the Group Policy Management tool. So let’s open up our Forest, and our Domain, and here you can see my organizational unit.
Now we can actually delegate authority at the site level. I am a small business so I just have one office so I do not have multiple sites set up. We can administer responsibility and delegate control at the domain level or we can do it at the organizational unit level. Now remember if you set and delegate administrative responsibilities at the domain level it will affect all of the objects within that domain. That is if you set the inheritance to all of the children containers. Now if you set authority at the site level, site level can actually go across domains if you have multiple domains set up. You could actually affect an object that is not actually in the domain where the GPO is. So I always find delegation at the site level to be a little bit more complex and I tend to avoid it.
Now, if you delegate at the organizational unit level, then you can actually delegate to the whole organizational unit or you can go inside and actually delegate responsibility for an individual OU. I personally find it easier to actually delegate control if I actually use the highest level of the organizational unit.
In this example I want to delegate responsibility to the Training Group Policy Object. If I click on that you can see here the Scope of it, if I click on that this has been applied to all authenticated users. You can take a look at the Detail of that object, you can take a look at the Settings. What I want to do is I want to delegate responsibilities. So I am going to click the Delegation tab in the Details pain. I want to add delegated responsibilities to a new user so I shall click Add. In this Select User you can delegate responsibilities to a group of users or to an individual user.
I want to delegate responsibilities to somebody called Deb Utah. I am just going to type in here deb, check for names, here she is Debi Utah. Select her, click OK, OK again. Now you can see I have got this pop-up window that now asks me what permissions that I want to allocate to this user. The default is Read and what we are going to do is we are going to give her permissions to Edit the settings. Edit setting will allow her to both read/write as well as create and delete child object. However, what it won’t do is give her permission to modify the permissions to modify the owner.
If I wanted to give Deb permissions to do that I would select this one, this third option Edit settings and modify security. But I want her to be able to add and change and create child objects, but I don’t want her to modify the permission of the owner of this GPO. So I am going to click Edit settings, say OK. Now you can see here that Debi Utah appears now and you can see along here that she can now Edit settings. I can use this by right clicking it to modify these settings now that she has been added, if I want to revert her back to Read or to give her more security settings or to delete her in some future point in time.
We have successfully given a user administrative responsibilities for changing a Group Policy Object. I hope you found this short clip useful and I look forward to you joining me on the next one. Thank you.