Your company has an Active Directory forest. The company has branch offices in three
locations. Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs
only to their respective organizational units.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
Run the Delegation of Control wizard and delegate the right to link GPOs for their branch
organizational units to the branch office administrators.
B.
Add the user accounts of the branch office administrators to the Group Policy Creator
Owners Group.
C.
Modify the Managed By tab in each organizational unit to add the branch office
administrators to their respective organizational units.
D.
Run the Delegation of Control wizard and delegate the right to link GPOs for the domain
to the branch office administrators.
Explanation:
Answer) Run the Delegation of Control wizard and delegate the right to link GPOs for their
branch organizational units to the branch office administrators.
Add the user accounts of the branch office administrators to the Group Policy Creator
Owners Group.http://technet.microsoft.com/en-us/library/cc732524.aspx
Delegate Control of an Organizational Unit
1. To delegate control of an organizational unit
2. To open Active Directory Users and Computers, click Start , click Control Panel , doubleclick Administrative
Tools and then double-click Active Directory Users and Computers .
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate
control.
Where?
Active Directory Users and Computers\ domain node \ organizational unit
4. Click Delegate Control to start the Delegation of Control Wizard, and then follow the
instructions in the wizard.
http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx
Delegating Administration of Group Policy
Your Group Policy design will probably call for delegating certain Group Policy administrative
tasks.
Determining to what degree to centralize or distribute administrative control of Group Policy
is one of the most important factors to consider when assessing the needs of your
organization. In organizations that use a centralized administration model, an IT group
provides services, makes decisions, and sets standards for the entire company. In
organizations that use a distributed administration model, each business unit manages its
own IT group.
You can delegate the following Group Policy tasks:
Creating GPOs
Managing individual GPOs (for example, granting Edit or Read access to a GPO) etc.
…
Delegating Creation of GPOs
The ability to create GPOs in a domain is a permission that is managed on a per-domain
basis. By default, only
Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and
SYSTEM can create new Group Policy objects. If the domain administrator wants a nonadministrator or non-administrative group to be able to create GPOs, that user or group can
be added to the Group Policy Creator Owners security group. Alternatively, you can use the
Delegation tab on the Group Policy Objects container in GPMC to delegate creation ofGPOs. When a non-administrator who is a member of the Group Policy Creator Owners
group creates a GPO, that user becomes the creator owner of the GPO and can edit the
GPO and modify permissions on the GPO. However, members of the Group Policy Creator
Owners group cannot link GPOs to containers unless they have been separately delegated
the right to do so on a particular site, domain, or OU.
Being a member of the Group Policy Creator Owners group gives the non-administrator full
control of only those GPOs that the user creates. Group Policy Creator Owner members do
not have permissions for GPOs that they do not create.
Note: When an administrator creates a GPO, the Domain Administrators group becomes the
Creator Owner of the Group Policy object. By default, Domain Administrators can edit all
GPOs in the domain.
The right to link GPOs is delegated separately from the right to create GPOs and the right to
edit GPOs. Be sure to delegate both rights to those groups you want to be able to create and
link GPOs. By default, non- Domain Admins cannot manage links, and this prevents them
from being able to use GPMC to create and link a GPO. However, non-Domain Admins can
create an unlinked GPO if they are members of the Group Policy Creator Owners group.
After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone else
who has been delegated permissions to link GPOs an a container can link the GPO as
appropriate.
Creation of GPOs can be delegated to any group or user. There are two methods of granting
a group or user this permission:
Add the group or user to the Group Policy Creator Owners group. This was the only method
available prior to GPMC.
Explicitly grant the group or user permission to create GPOs. This method is newly available
with GPMC.
You can manage this permission by using the Delegation tab on the Group Policy objects
container for a given domain in GPMC. This tab shows the groups that have permission to
create GPOs in the domain, including the Group Policy Creator Owners group. From this
tab, you can modify the membership of existing groups that have this permission, or add
new groups.
Because the Group Policy Creator Owners group is a domain global group, it cannot contain
members from outside the domain. Being able to grant users permissions to create GPOs
without using Group Policy Creator Owners facilitates delegating GPO creation to users
outside the domain. Without GPMC, this task cannot be delegated to members outside the
domain.
If you require that users outside the domain have the ability to create GPOs, create a new
domain local group in the domain (for example, “GPCO – External”), grant that group GPO
creation permissions in the domain, and then add domain global groups from external
domains to that group. For users and groups in the domain, you should continue to use the
Group Policy Creator Owners group to grant GPO-creation permissions.
Adding a user to the membership of Group Policy Creator Owners and granting the user
GPO-creation permissions directly using the new method available in GPMC are identical in
terms of permissions.