1 00:00:03,070 --> 00:00:05,780 So now I want to talk about group policy. 2 00:00:05,800 --> 00:00:06,640 Delegation. 3 00:00:07,570 --> 00:00:12,760 And more specifically, group policy management delegation, because we're going to talk about more 4 00:00:12,760 --> 00:00:15,700 than just delegating access to GPOs here. 5 00:00:16,670 --> 00:00:21,470 So in terms of group policy management, what actually can be delegated? 6 00:00:22,450 --> 00:00:24,610 Well, there's actually quite a bit. 7 00:00:25,600 --> 00:00:30,610 In the AMC, you can get access to quite a granular security model. 8 00:00:31,620 --> 00:00:37,200 So GPIO creation can be delegated, GPIO editing, of course, GPIO linking. 9 00:00:37,380 --> 00:00:40,110 So who can link to which all use sites and domains? 10 00:00:41,120 --> 00:00:46,580 The ability to perform result instead of policy modeling, which is something we haven't talked about 11 00:00:46,610 --> 00:00:46,970 yet. 12 00:00:47,930 --> 00:00:52,580 We've talked about RSP logging, which is also called group policy results. 13 00:00:53,550 --> 00:00:59,730 But both of those operations can be delegated so you can control who can do which of those operations. 14 00:01:00,720 --> 00:01:03,690 WMI filter creation and editing. 15 00:01:04,610 --> 00:01:06,860 And starter GPO creation. 16 00:01:07,780 --> 00:01:14,110 And I haven't yet introduced the concept of starter GPOs, which I'm about to do in this module. 17 00:01:15,120 --> 00:01:20,040 So we'll wait on that section to talk a little bit more about what a starter GPO is. 18 00:01:21,010 --> 00:01:24,280 But these are all the operations that you can delegate. 19 00:01:25,250 --> 00:01:32,570 Now in terms of where you do this within the ANC, most of this stuff is accessible through the ANC. 20 00:01:33,500 --> 00:01:38,810 In fact, all of it that I'm going to talk about is accessible through the AMC. 21 00:01:39,750 --> 00:01:45,840 And what I'll say is that when it comes to delegating, doing delegation operations against group policy 22 00:01:45,840 --> 00:01:51,780 stuff, your best bet is to do it through the PMC rather than trying to figure out how to do it against 23 00:01:51,780 --> 00:01:54,600 native Active Directory objects or permissions. 24 00:01:55,560 --> 00:02:01,470 And the reason I say that is because I've seen some folks try to work around the PMC model by delegating 25 00:02:01,470 --> 00:02:07,200 under the covers using Active Directory directly, and GP doesn't always respond well to that unless 26 00:02:07,200 --> 00:02:09,930 you've done it really consistently across the board. 27 00:02:10,890 --> 00:02:14,880 So using EMC to do delegation is your best bet. 28 00:02:15,830 --> 00:02:21,710 And in this case, if I right click on the group policy objects node, I can delegate the right to create 29 00:02:21,710 --> 00:02:23,480 GPOs in this domain. 30 00:02:24,410 --> 00:02:30,260 And as you'll note here, the Domain Admins Group, a special group called Group Policy Creator Owners. 31 00:02:31,200 --> 00:02:36,990 And the local system account have this right today or have this right by default in the domain. 32 00:02:37,960 --> 00:02:41,600 So these are the groups that can create GPOs by default. 33 00:02:42,590 --> 00:02:49,550 So with respect to delegating the linking of GPOs to containers or RSP modeling and logging on computers 34 00:02:49,550 --> 00:02:50,720 in those containers. 35 00:02:51,700 --> 00:02:56,950 If you right click on a container as you can see in this diagram, I'm right clicking on the client 36 00:02:56,950 --> 00:03:02,350 so you and heading the delegation tab and I get a dropdown list of things that I can delegate. 37 00:03:03,280 --> 00:03:09,310 And what this means is for each of these permissions link GPOs perform group policy modeling analysis 38 00:03:09,310 --> 00:03:10,690 and read results data. 39 00:03:11,690 --> 00:03:14,360 I can delegate to different groups of folks. 40 00:03:15,370 --> 00:03:18,640 So I can delegate who can link GPOs to this client. 41 00:03:18,640 --> 00:03:19,270 So you. 42 00:03:20,230 --> 00:03:26,200 I can delegate who can perform group policy modeling against computers in this OAU or who can perform 43 00:03:26,200 --> 00:03:33,040 group policy results of group policy logging to computers in the so you so you can set this either at 44 00:03:33,040 --> 00:03:36,980 the EU level or at the domain level or even at the site level. 45 00:03:37,000 --> 00:03:41,800 You can set each of these rights for linking group policy modeling and group policy results. 46 00:03:42,760 --> 00:03:45,520 In terms of delegating who can edit GPOs? 47 00:03:45,700 --> 00:03:51,850 Once a GPO has been created, you can click the GPO under the group Policy Objects Container. 48 00:03:52,800 --> 00:04:00,000 And on the delegation tab you can control who can read the GPO, who can edit settings, delete or modify 49 00:04:00,000 --> 00:04:00,720 security. 50 00:04:01,680 --> 00:04:07,820 And that permission is actually granting the user the ability to modify the delegation of the GPO itself. 51 00:04:07,830 --> 00:04:13,200 Or you can just grant the edit settings permission, in which case they'll be able to edit the GPO, 52 00:04:13,470 --> 00:04:17,460 but they won't be able to delete or modify security on the GPO. 53 00:04:18,350 --> 00:04:24,380 Now with W my filters, if you click on the W my filters container, you'll have the delegation tab 54 00:04:24,380 --> 00:04:31,600 available to you and you can delegate who can create and edit GOP or sorry WMD filters in this domain 55 00:04:31,610 --> 00:04:33,920 and similarly with starter GPOs. 56 00:04:34,890 --> 00:04:40,980 If you've enabled starter GPOs in your domain, you can use the delegation tab to enable who can create 57 00:04:40,980 --> 00:04:43,200 starter GPOs in the environment. 58 00:04:44,190 --> 00:04:50,970 So you get all of these delegation capabilities within AMC and the ability to delegated a very fine 59 00:04:50,970 --> 00:04:57,750 grained level who can create, edit, link, reposition, create WMI filters, all sorts of activities 60 00:04:57,750 --> 00:04:59,820 related to group policy management. 61 00:05:00,810 --> 00:05:05,160 So let's dive in and take a look at some of this in my test system here.