The previous installment of this article outlined how to grant a security group the right to log on locally as well as read/write permission to the Sysvol. In addition, you need appropriate administrative permission to the site, domain, or organizational unit (OU) in which the Group Policy Object (GPO) resides. To delegate administration:

1. Open Active Directory Users and Computers console and locate the Active Directory object to delegate (such as OU).
2. Right-click the object, and choose Delegate Control. In the Delegation Of Control Wizard, click Next.
3. When prompted by the wizard, click Add to select the users or groups who will have delegated authority, then click Next. Keep in mind that the users or groups you select must have the appropriate rights already discussed to be able to manage GPOs in the selected container.
4. From the Tasks To Delegate list, select the tasks for which the specified user or group will have delegated authority. For example, select Manage Group Policy Links to enable the specified user or group to manage links in the selected container.
5. Click Finish to complete the wizard.

To delegate control over group policies, you define rights at the container level to control the use of Microsoft Management Consoles (MMC) in general and group policy-related snap-ins in particular. If users can’t load the MMC or the group policy-related snap-ins, they can’t manage group policies, so your next step is to configure access to the MMC and the snap-ins at the container level. To do so:

1. Open the Active Directory Users and Computers console and locate the container where you want to configure delegation.
2. Right-click the container and choose Properties, then click the Group Policy tab.
3. Select the group policy for the object and click Edit. If a group policy doesn’t exist yet, click New to create one.
4. In the Group Policy console, expand the branch User Configuration/Administrative Templates/Windows Components/Microsoft Management Console/Restricted/Permitted Snap-ins/Group Policy.
5. Double-click a policy to enable or disable it.