Delegation of OU and GPO’s

Recently A department within the School wanted to leverage the capabilities that we currently provide many other departments. They currently run their own domain, and they needed the same amount of control if they were to migrate over to our domain. Of course the “easy” button here is the Delegation of Control Wizard. This gives you the ability to grant a user in your domain or another trusted domain the ability to administer all or a portion of the objects within an OU.

Now, while your newly created OU Admin can create user accounts, computer accounts, organizational units and groups, she does not get the ability to create Group Policies. If you gave the account Full Control you can check permissions on the OU you will see that Create and Delete GroupPolicyContainer objects are checked Allowed. When your admin attempts to create a group policy or run the modeling wizard it will fail with “Access is Denied.”

This is because while she has Full Control at the OU level, her account needs to be added to the Group Policy Objects container in the GPMC interface. Once you have added the account there, your admin will now be able to create/edit/delete gpo’s.

Leave a Reply

Your email address will not be published. Required fields are marked *