One of the features of the Active Directory is its ability to delegate control of portions of the directory service. This section explains how Group Policy fits in with the delegation of sites, domains, and organizational units.
The delegation of Group Policy consists of the following 4 aspects, which can be used together or separately, as a particular situation requires:
Managing Group Policy links for a site, domain, or OU
Editing Group Policy Objects
Creating Group Policy Objects
Specifying Group Policy to Control the Behavior of MMC extensions
The underlying mechanism for achieving delegation using the first three methods is the application of the appropriate DACLs to Group Policy objects and other objects in the Active Directory. This mechanism is identical to using security groups to filter the application of Group Policy objects to various users, as described earlier in this paper.
The fourth method of delegation relies on several policy settings within the Group Policy infrastructure that are designed to control the behavior of the MMC and MMC snap-ins. For example, you can use Group Policy to manage the rights to create, configure, and use MMC consoles, and to control access to individual snap-ins.
Using Security Groups to Delegate Group Policy
The following table lists the default security-permission settings for a Group Policy object:
Groups or Users
|
Security permission
|
Authenticated User
|
Read with Apply Group Policy ACE
|
Domain Administrators
Enterprise Administrators
Creator Owner
Local System
|
Full control without Apply Group Policy ACE.
|
Note: By default, administrators are also authenticated users, which means that they have the Apply Group Policy attribute set. If this is not desired, administrators have two choices:
Remove Authenticated Users from the list on the security tab of the GPO, and add a new security group with the Apply Group Policy and Read attributes set to Allow. This new group should contain all the users that this Group Policy is intended to affect.
Set the Apply Group Policy attribute to Deny for the Domain and Enterprise Administrators, and possibly the Creator Owner groups. This will prevent the GPO from being applied to members of those groups. Remember that an ACE set to Deny always takes precedence over Allow. Therefore, if a given user is a member of another group that is set to explicitly Allow the Apply Group Policy attribute for this GPO, it will still be denied.
Managing Group Policy Links for a Site, Domain, or OU
The Group Policy tab in the Properties page for a site, domain, or OU allows the administrator to specify which Group Policy objects are linked to this site, domain, or OU. This property page stores the user’s choices in two Active Directory properties called gPLink and gPOptions. The gPLink property contains the prioritized list of Group Policy objects and the gPOptions property contains the Block Policy Inheritance setting.
To manage GPO links to a site, domain, or OU, you must have read and write access to the gPLink and gPOptions properties. By default, domain administrators have this permission for domains and OUs, and only Enterprise Administrators and Domain Administrators of the forest root domain can manage links to sites.
The Active Directory supports security settings on a per-property basis. This means that a non-administrator can be given read and write access to specific properties. In this case, if non-administrators have read and write access to the gPLink and gPOptions properties, they can manage the list of GPOs linked to that site, domain, or OU. To give a user Read and Write access to these properties, use the Delegation Wizard and select the Manage Group Policy links predefined task.
Example 1
In this example, control of an organizational unit is delegated to a non-administrative user so that a user or group of users can select from existing Group Policy Objects and apply them to users, but not create new Group Policy Objects.
In the Active Directory Users and Computers snap-in, right-click the Organizational Unit that you want to delegate, and select Delegate Control.
In the Delegate Control Wizard, press Next to go past the introduction page.
You will be asked to confirm the OU that you want to delegate.
Press Next.
You will be prompted for the names of the users and groups to which you want to delegate control.
Select a previously defined user or group, and press Next.
In the list of Predefined Tasks, select Manage Group Policy links, and press Next.
Press Finish to complete the changes.
The user or the members of the group that you selected in step 4 will be able to change the list of Group Policy links for the OU selected in step 1.
Creating Group Policy Objects
By default, only domain administrators, enterprise administrators, Group Policy Creator Owners, and the operating system can create new Group Policy objects. If the domain administrator wants a non-administrator or group to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners security group. When a non-administrator who is a member of the Group Policy Creator Owners group creates a GPO, that user becomes the creator and owner of the GPO; therefore, the user can edit the GPO. Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only those GPOs that the user creates or those explicitly delegated to that user; it does not give the non-administrator any additional rights over other GPOs for the domain—these users are not granted rights over GPOs they didn’t create.
Note that when an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of the Group Policy Object.
When delegating to non-administrators, you should also consider delegating the ability to manage the links for a specific OU. The reason is that by default, non-administrators cannot manage links, and this will prevent them from being able to use the Active Directory Users and Computers snap-in to even create a Group Policy object. There is a work-around whereby these users can create a custom MMC console, and they can create a GPO when they select the All tab.
Example 2
In this example, control of an organizational unit is delegated to a non-administrator user so that the user or group of users can select from existing Group Policy objects and also create new Group Policy objects.
First, complete all the steps in Example 1 above.
To allow for creation of new Group Policy objects, you need to add the user or group of users to the Group Policy Creator Owners group. In the Active Directory Users and Computers tools, navigate to the Users container in the root of the domain.
Double-click Group Policy Creator Owners.
In the Properties page, select the Members tab.
Press Add, and add the group of users (or user) selected above to the security group.
The user or group of users will be able to create new Group Policy objects. The user who creates each object becomes the Creator Owner of that GPO.
Editing Group Policy Objects
To edit a GPO, the user must have both read and write access to the GPO. For the current release of the product, read-only support for opening a GPO is not provided. To edit a GPO, the user must be one of the following:
An administrator.
A Creator Owner.
A user with delegated access to the GPO. That is, an administrator, or the Creator Owner, must have provided to this user both read and write access to the GPO by using the Security tab in the GPO Properties page.
By default, Domain Administrators, Enterprise Administrators, the operating system, and the GPO Creator Owner can edit GPOs because they have full control of GPOs without the Apply Group Policy attribute.
Example 3
In this example, control of a Group Policy object is delegated to a non-administrator user or group of users.
Open a Group Policy object in the Group Policy snap-in.
Right-click on the root node, select Properties, and click Security.
Press Add to add the user or group of users, and give them read and write access. At this point, decide whether the users should also have the policy applied to them or just be able to edit it. If they do not need the policy applied to them, clear the Apply Group Policy option.
Press OK to save the changes.
The user or group of users () will be able to edit the Group Policy object.
Specifying Group Policy to Control the Behavior of MMC extensions
Windows 2000 Group Policy includes several policy settings designed to control the behavior of MMC snap-ins. For example, you can use Group Policy to manage the rights to use MMC snap-ins.
Restricting Access to a List of Permitted Snap-ins
Administrators can specify which MMC snap-ins may be run by the affected user and which may not. This may be specified to be inclusive, which only allows a set of snap-ins to run, or it may be set as exclusive, which does not allow a set of snap-ins to run.
To create a list of permitted snap-ins for users, enable the Restrict users to the explicitly permitted list of snap-ins policy. When this policy is enabled, only permitted snap-ins can be run. If this policy is disabled or not configured, all snap-ins are permitted, except those you explicitly prohibit.
This policy is available in the Group Policy console under the User Configuration\Administrative Templates\Windows Components\Microsoft Management Console node. For more information on this policy setting, double-click the policy in the details pane, and click the Explain tab.
Controlling Access to a Snap-in
To restrict or explicitly permit access to a particular snap-in, navigate to User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy in the console tree. In the details pane, double-click the snap-in that you want to permit or restrict, and then select an option. For more information on these policy settings, double-click the desired policy in the details pane, and click the Explain tab, as shown in Figure 5, below.
F igure 5. Controlling access to a snap-in
Preventing Use of MMC in Author Mode
Administrators can enable the Restrict the user from entering author mode policy in order to prevent users from using MMC in author mode. This policy is available in the Group Policy console under the User Configuration\Administrative Templates\Windows Components\Microsoft Management Console node.
For more information on these policy settings, double-click the policy in the details pane, and then click the Explain tab in the policy Properties dialog box.
Creating Custom Group Policy Snap-in Consoles
You can create custom Group Policy MMC consoles (.msc files), which include only a subset of the Group Policy snap-in extensions. You can combine this with the use of the policy settings above to provide a customized tool. For example, you could create a custom Group Policy console that includes only the Security Settings extension. This allows you to define Group Policy settings in a modular fashion.
To start Group Policy as a stand-alone snap-in
Click Start, click Run, type MMC, and then press Enter.
In the MMC window, on the Console menu, click Add/Remove Snap-in.
On the Standalone tab, click Add.
In the Add Standalone Snap-in dialog box, click Group Policy, and then click Add.
In the Select Group Policy Object dialog box, click Browse to find the GPO you want to manage, and then click OK.
Click Finish in the Select Group Policy Object dialog box, and then click Close in the Add Standalone Snap-in dialog box.
Select the Extensions tab, and select the extension snap-ins you want to use.
Click OK. The Group Policy snap-in opens with focus on the GPO you specified.
After you specify the policies you want to use, click Save As on the Console menu to save your settings (in a .msc file).
To set access permissions, use the Security tab on the Properties page of the selected GPO. These permissions allow or deny specified groups access to the GPO.
|