Windows Server 2003 Group Policy Delegation Part I

Group policies are so useful and flexible not just because of what they enable you to do, but also because of how they enable you to do it. GPOs allow you to delegate administrative control over group policies at any level that suits your enterprise’s needs. For example, you might delegate administrative control of an OU’s GPO to a specific user or group within that OU, giving that user or members of that group the ability to make policy changes that affect their level in the domain while restricting them from making changes at higher levels.

You can delegate the following three tasks independently of one another:

• Manage group policy links at the site, domain, and OU levels
• Create GPOs
• Edit GPOs

For example, you might grant the ability to create GPOs only to specific administrative groups, while others have the ability to edit those GPOs. You might also enable certain security groups to manage GPOs at specific levels, while other groups manage other levels. One group might have the ability to manage all GPOs throughout the site, while other groups have the ability to manage GPOs only at the domain level and at all underlying levels. Still other groups might manage only the GPOs that apply at their particular level in the domain.

How you structure delegation within the enterprise depends in large part on the extent of the enterprise. If yours is a small organization with one domain and only two domain controllers (DCs) and a handful of OUs, you’ll probably administer all GPOs yourself. As the enterprise grows to encompass more OUs and more domains, managing GPOs would rapidly become a full-time job. In that scenario, delegation would enable several administrators to control the GPOs that fall under their area of responsibility and knowledge.

The next installment of this article will look more closely at assigning rights to manage group policies.