Site icon Windows Active Directory

GPO Delegation


Introduction :

Group Policy helps administrators with centralized control and configuration of user settings, operating systems, and applications. A Group Policy Object (GPO) is a collection of Group Policy settings that determine how a system appears and behaves for a certain group of users. GPO delegation in AD allows you to offer end-users permission to execute certain Group Policy management activities that are typically performed by administrators. You assign Group Policy management rights in Active Directory to a user who is not a member of Enterprise Admins or Domain Admins to accomplish the following tasks:

Why GPO Delegation? 

For two primary reasons, determining who may edit GPOs is critical in order to provide effective security on GPOs themselves. To begin, if security settings are not correctly configured, users and system administrators can simply override them. This negates the whole point of having GPOs in the first place. Second, having many system administrators create and edit GPOs may make management exceedingly complex. When issues develop, the hierarchical structure of GPO inheritance might make it difficult to identify the source of the problem.

Delegating permissions for a group or user on a Group Policy Object:  

Just like other AD objects, security principals can be assigned permissions to access a GPO. The following are the list of permissions that can be assigned:

Let’s now look at the steps to set permissions for a GPO.

  1. Using Group Policy Management Console (GPMC):

The following steps illustrate how to set permissions for a GPO using GPMC:

  1. Using PowerShell:

Import- Module Group Policy

Set- GPPermissions -Name <String> -TargetName <PermissionTrusteeType> -PermissionLevel <GPPermission Type>

the following command:

Set-GPPermissions -All -TargetName <String> -TargetType <PermissionTrusteeType> -PermissionLevel <GPPermissionType>

GPO Delegation vs Security Filtering: 

Computers or users must have Read and Apply access on a GPO, in order to receive the settings from it. The GPO won’t be applied if it doesn’t have both the Read and Apply rights. When testing a new GPO, you might wish to limit the GPO appliance to a single user or computer. This is done by either completely removing Authenticated Users from the GPO’s Access Control List (ACL) or by removing Authenticated Users with the Apply permission. Then, you can manually assign Read and Apply to the user or computer you’re using for testing. It is mostly used for testing and when there is a poor fit between the needs of the GPO appliance and the OU design. This method is known as Security Filtering.

The second reason to update your GPO ACL is Delegation. Delegating GPO administration to regional teams can be accomplished by giving the GPO Write permissions. By doing so, you will be able to provision blank GPOs. Then, assign local teams to configure the GPO. In order to enable them to set up security filtering for testing purposes, you can also grant them the authority to change the GPO ACL.

To examine and modify a GPO’s permissions and manage them, use Security Filter and Delegation. The sections “Security Filtering” and “Delegation” are linked as follows:

AD Delegation Best Practices: 

When it comes to Group Policy, it’s critical to limit the number of users who can manage the Group Policy Objects. Furthermore, it is critical to control and limit who has access to certain features like unlink, and block inheritance on Organizational Units. Organizations may provide Admin privileges to anybody who requests them since the administrators are not aware of how to delegate Active Directory permissions. This can cause a serious security threat to the network. Fortunately, we can avoid the security concern by using the Delegation of Control wizard to determine security permissions for GPOs. Therefore, it is recommended to delegate control and fine-tune permissions based on the requirement.

People also read

Managing GPOs in Active Directory

Group Policy Management Console (GPMC)

Managing GPOs with Group Policy Management Console

Group Policy Objects (GPOs): Different Policy Settings

Exit mobile version