1 00:00:03,080 --> 00:00:08,570 So let's look at a scenario where we want to delegate the ability for Joe Sales in the sales group to 2 00:00:08,570 --> 00:00:11,120 temporarily be a group policy admin guy. 3 00:00:11,240 --> 00:00:17,270 And Joe Sales needs to be able to create a GPO and link it to the sales users view, which you see here 4 00:00:17,270 --> 00:00:18,380 in PMC. 5 00:00:19,320 --> 00:00:25,620 So right now if I right click on the users oh you as Joe sales you'll see all of these options are grayed 6 00:00:25,620 --> 00:00:25,920 out. 7 00:00:26,890 --> 00:00:29,170 I can't do pretty much anything against this. 8 00:00:29,170 --> 00:00:29,920 So you. 9 00:00:30,810 --> 00:00:36,180 And if I try to come down under the group policy objects container and let's say I want to create a 10 00:00:36,180 --> 00:00:37,260 new GPO. 11 00:00:38,130 --> 00:00:44,700 If I go ahead and say new and I'm going to say Joe Sales, GPO and click okay I get access denied. 12 00:00:45,690 --> 00:00:51,060 So at this point, Joe, Sales can't really do anything from a group policy admin perspective. 13 00:00:52,020 --> 00:00:57,270 So what I'm going to do is I'm going to come over to my Jeep management console running on my Active 14 00:00:57,270 --> 00:01:01,760 Directory domain controller, and I'm going to go ahead and delegate Joe Sales. 15 00:01:01,770 --> 00:01:03,870 The ability to create GPOs. 16 00:01:04,840 --> 00:01:10,750 Now what I actually preferred to do was to delegate it to a group rather than an individual user. 17 00:01:11,730 --> 00:01:16,590 So what I'm going to do instead of that is I'm going to come down here and I'm going to create a new 18 00:01:16,590 --> 00:01:19,710 group and I'm going to call this group sales admins. 19 00:01:20,660 --> 00:01:24,110 And once that group's created, I've got a global group here. 20 00:01:24,110 --> 00:01:24,980 I've created. 21 00:01:25,920 --> 00:01:27,720 I'm going to go ahead and add. 22 00:01:28,690 --> 00:01:31,900 I'm going to add Jos sales to the sales admin group. 23 00:01:32,870 --> 00:01:37,100 So I'm going to go ahead under members and say add Joe to sales admins. 24 00:01:38,040 --> 00:01:43,950 And I'm going to come back to M.C. and I'm going to say add a delegation on the group policy objects 25 00:01:43,950 --> 00:01:44,580 container. 26 00:01:45,580 --> 00:01:49,480 So that sales admins can create GPOs in the domain. 27 00:01:50,410 --> 00:01:54,940 And so now sales admins can create GPOs in this domain. 28 00:01:55,840 --> 00:01:57,490 And if I come down to the sales. 29 00:01:57,490 --> 00:02:01,450 Oh you I want to let sales admins link GPOs to the users. 30 00:02:01,480 --> 00:02:02,980 Oh you under the sales. 31 00:02:02,980 --> 00:02:03,550 Oh you. 32 00:02:04,480 --> 00:02:06,970 So if I come over to delegation here. 33 00:02:08,000 --> 00:02:11,060 I select the link and I add sales admins. 34 00:02:12,010 --> 00:02:15,520 Go ahead and check names on that and grab the right group. 35 00:02:16,470 --> 00:02:20,790 And I can say, do I want it on this container and all child containers? 36 00:02:21,760 --> 00:02:25,730 Well, I don't have any child containers under sales or under users. 37 00:02:25,990 --> 00:02:30,940 But I'm going to go ahead and select this container only just to make sure that it stays that way. 38 00:02:31,900 --> 00:02:38,320 So now the sales admins members can link GPOs to the users container and they can create GPOs. 39 00:02:39,320 --> 00:02:41,270 So let's go back over to our client. 40 00:02:41,390 --> 00:02:46,970 And since I added Joe Sales to a new group, I'm going to have to log out and log back in in order for 41 00:02:46,970 --> 00:02:49,310 that Joe sales membership to take effect. 42 00:02:49,520 --> 00:02:51,230 So I'm going to do that right now. 43 00:02:52,150 --> 00:02:54,940 And now I'm logging back in as Joe Sales. 44 00:02:55,890 --> 00:03:00,240 And this time I'll get my group membership and sales admin for my new session. 45 00:03:01,180 --> 00:03:01,720 Okay. 46 00:03:01,840 --> 00:03:04,600 I'm going to go ahead and Run DMC. 47 00:03:05,530 --> 00:03:09,430 And let's go ahead and go down to the group policy objects container. 48 00:03:10,420 --> 00:03:12,790 And I'm going to say new GPO. 49 00:03:13,740 --> 00:03:18,570 So I'm going to go ahead and create a new GPO called Sales Edmonds, GPO. 50 00:03:19,460 --> 00:03:21,770 And it let me create that GPO. 51 00:03:22,730 --> 00:03:23,840 So there it is. 52 00:03:24,790 --> 00:03:30,490 And if I look at the delegation on the GPO, you'll see that Joe Sales, not the sales admin group, 53 00:03:30,700 --> 00:03:34,450 but Joe Sales has been given full control over that GPO. 54 00:03:35,350 --> 00:03:41,470 So what happened there is that Joe Sales as a member of the sales admin group, created the GPO and 55 00:03:41,470 --> 00:03:46,300 his individual account has been given delegation to the GPO to make changes to it. 56 00:03:47,300 --> 00:03:53,330 So even though there might be another sales admin user, that user is not going to have access to the 57 00:03:53,330 --> 00:03:55,520 GPO that Joe Sales created. 58 00:03:56,510 --> 00:03:59,150 They're not going to be able to make changes to it. 59 00:04:00,130 --> 00:04:03,700 That's an important point to note about delegating access. 60 00:04:04,730 --> 00:04:10,310 Then when I go in under sales users and I'm going to right click and you'll notice that now these options 61 00:04:10,310 --> 00:04:11,300 are not grayed out. 62 00:04:12,220 --> 00:04:15,880 And I can go ahead and say, Lincoln, existing GPO. 63 00:04:16,770 --> 00:04:20,430 And I can link the sales admins GPO and I'm good to go. 64 00:04:21,360 --> 00:04:25,050 Now, one thing to note is if I wanted to try to link to the marketing. 65 00:04:25,050 --> 00:04:25,590 Oh, you. 66 00:04:25,590 --> 00:04:26,820 I still can't do it. 67 00:04:27,820 --> 00:04:30,040 So that's not available to me. 68 00:04:31,010 --> 00:04:36,470 Just because I have access to the sales oyu doesn't mean I have access to the marketing or you. 69 00:04:37,340 --> 00:04:43,280 And in fact, if I go up to the parent level of the sales user review, I can't link there as well. 70 00:04:44,250 --> 00:04:49,020 So only this delegated container can I link to using this permission? 71 00:04:49,960 --> 00:04:53,110 One other thing I want to mention about the commissioning. 72 00:04:54,020 --> 00:04:59,060 Remember that I mentioned that when you're on a container, you can delegate group policy modeling and 73 00:04:59,060 --> 00:05:00,980 group policy results as well. 74 00:05:01,920 --> 00:05:05,580 The group policy results option actually does two things. 75 00:05:06,540 --> 00:05:09,480 The first thing it does is it lets you run as a user. 76 00:05:09,510 --> 00:05:14,190 It lets you run group policy results against computers that are in this for you. 77 00:05:15,090 --> 00:05:20,180 The other thing it does, interestingly enough, is it lets you do remote update. 78 00:05:21,160 --> 00:05:24,250 I introduced this concept in an earlier version. 79 00:05:24,250 --> 00:05:25,750 In an earlier module. 80 00:05:26,730 --> 00:05:32,490 Remote Group Policy Update is a feature on Windows eight dot X and later versions like Windows ten and 81 00:05:32,490 --> 00:05:38,880 Server 2012, where two in Server 2012 or later versions like Server 2022. 82 00:05:39,740 --> 00:05:45,830 And the only way to delegate in other words, control who can do group policy update is to grant them 83 00:05:45,830 --> 00:05:50,540 the seemingly unrelated permission of group policy read group policy results. 84 00:05:51,550 --> 00:05:57,550 So by granting this right, you grant the user both the ability to run RSP against the remote system 85 00:05:57,550 --> 00:06:01,420 and also to do a remote GP update against that remote system. 86 00:06:02,380 --> 00:06:04,360 So just something to keep in mind. 87 00:06:05,340 --> 00:06:10,410 Not well-documented at all, but something that's important to know if you're planning to roll out the 88 00:06:10,410 --> 00:06:13,020 ability to do remote group policy updates.