Two Ways to Use Group Policy Delegation

The last thing you need is to be working on some Active Directory or Group Policy problem then – bam. Someone else steps on your toes.

That’s why Active Directory has a built-in delegation model for you to use. It’s not hard to do, and doesn’t take a lot of work to set up or maintain.

The “trick” however, when it comes to delegating items for the Group Policy engine, is that there are multiple places you can do the same thing – and that can be confusing. In this article, we’ll explore the Group Policy delegation model – and the two tools you can use to make the magic happen.

Let’s start out by examining the old(er) and slightly-more-difficult-to-deal with way: Active Directory Users and Computers. Here you can right-click over an OU and select Delegate Control as seen in Figure 1.

Figure 1: Active Directory Users and Computers – Delegating Control

Inside the Delegation of Control wizard (Figure 2), you can assign the “who” first. Here you can see I want to give EastSalesUser1 some rights.

Figure 2 – Delegation of Control Wizard

Then, you can assign the “what.” That is, what rights the person should have. Here, you can see I’ve selected “Manage Group Policy links.” Also available are “Generate Resultant Set of Policy (Planning)” and “Generate Resultant Set of Policy (Logging).”

We still use the term “linking”, but the terms “Resultant Set of Policy (Planning)” and “Generate Resultant Set of Policy (Logging)” have gone out of style and we use different names for that now. Specifically “Resultant Set of Policy (Planning)” is now called “Group Policy Modeling” and “Resultant Set of Policy (Logging)” is now called “Group Policy Results.”

Figure 3 – Delegation of Control Wizard - Tasks

However, I suggest that you don’t use Active Directory Users and Computers here to manage Group Policy’s delegation. And the reason why is that it’s hard to know what was done – after you’ve done it. For instance, let’s say I grant EastSalesUser1 “Manage Group Policy Link” rights to “East Sales Users.”

There’s nothing “obvious” in the Active Directory Users and Computers UI that I have done that. To enable the “viewing” of what you did, you need to select View | Advanced Features as seen in Figure 4.

Figure 4 – Active Directory Advanced Features

Only then can you go to the Properties of East Sales Users, and then see that EastSalesUser1 has any delegated rights at all as seen in Figure 5. However, note that “Manage Group Policy Links” isn’t even shown here. It’s a special permission tucked away from further inspection.

Figure 5: Active Directory Users and Computers can show the rights someone has.

So, Active Directory Users and Computers, while a possible choice for performing Group Policy Delegation isn’t the ideal choice. The ideal choice is to use the Group Policy Management Console as seen in Figure 6.

Figure 6: The GPMC delegation model

In Figure 6, you can see how much nicer this “one stop shop” layout is. You simply click on the “where” first, say, East Sales Users. Then click on the Delegation tab. You then select the permission, in this case, Link GPOs and select the person you want to have that right.

There’s no hidden stuff or otherwise trying to guess who has what rights.

The Group Policy delegation model doesn’t have to be hard… and it isn’t!

Hope this helps you out.