ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Active Directory Policies

How to delegate permissions to create GPOs in Windows

Group Policy is a feature in Windows that provides centralized management and configuration of operating systems, applications, and users’ settings in an Active Directory environment. Delegating permissions to create GPOs is essential for distributing administrative tasks while maintaining security and compliance. This article offers a step-by-step guide for system administrators on how to delegate permissions to create Group Policy Objects (GPOs) in a Windows environment.

Understanding GPO Delegation

Before proceeding, it’s important to understand that delegating GPO creation rights doesn’t automatically grant the right to link GPOs to Organizational Units (OUs). These permissions must be managed separately, often for good reason, as linking GPOs can significantly impact the network’s operation.


  • Access Rights: Ensure you have administrative privileges in the Active Directory (AD) environment.
  • Group Policy Management Console (GPMC): This tool is used for managing GPOs and must be installed.

Step-by-Step Guide to Delegate GPO Creation Permissions

Step 1: Open Group Policy Management Console

Access GPMC by searching for “Group Policy Management” in the start menu or via the Management Console (gpmc.msc).

Step 2: Accessing Group Policy Objects

In the GPMC, navigate to the “Group Policy Objects” folder in the forest and domain where you want to delegate control.

Step 3: The Delegation Tab

Select the “Group Policy Objects” folder. Then, in the details pane, click on the “Delegation” tab.

Step 4: Adding a User or Group

Click the “Add” button to delegate control to a user or group. In the “Select User, Computer, or Group” dialog box, enter the name of the user or group to whom you want to delegate GPO creation permissions. Click “OK” once you have selected the appropriate entity.

Step 5: Setting Permissions

In the “Permissions” dialog box, select the “Creator Owner” group. Then, under the “Permissions” section, check the “Create Group Policy Objects” permission. Click “OK” to apply these settings.

Advanced Delegation and Use Cases

1. Restricting GPO Linking Permissions

After delegating GPO creation rights, you might also need to control who can link GPOs to OUs. This is a separate permission that can be granted at the OU level.

2. Delegating Edit Permissions

For users to edit the GPOs they create, grant them “Edit Settings, Delete, Modify Security” permissions. This can be done through the same delegation tab but for specific GPOs.

3. Creating GPOs with the Delegated Account

After delegation, the user or group can create GPOs within the scope of their permissions. However, they might not have rights to link these GPOs to specific OUs without further permissions.

4. Use Case: Departmental GPO Management

Delegating GPO creation to departmental IT staff can help decentralize certain IT management tasks, allowing department-specific policies to be managed more directly.

5. Use Case: Compliance and Auditing

In environments where changes to group policies need to be audited or comply with certain standards, delegating creation rights to specific administrators or groups can streamline this process.

Security Considerations

  • Principle of Least Privilege: Always adhere to the principle of least privilege, granting only the necessary permissions to each user or group.
  • Regular Reviews: Periodically review delegated permissions to ensure they still align with current roles and security policies.
  • Audit Logs: Use audit logs to track changes made to GPOs and ensure compliance with organizational policies.


  • Permission Issues: If a user is unable to create GPOs post-delegation, ensure that they are added correctly in the GPMC and have the necessary permissions.
  • Propagation Delays: Sometimes, changes in permissions may take time to propagate through the network. Ensure adequate time has passed before troubleshooting.


Delegating permissions to create GPOs is a vital aspect of managing a Windows-based network environment. It allows for efficient distribution of administrative tasks while maintaining necessary control and security. By following the steps outlined in this guide, system administrators can delegate these permissions effectively, ensuring that GPO management aligns with organizational structures and security policies.

Related posts
Active Directory Policies

Block windows app installation with elevated privileges using GPO

Active Directory Policies

GPO to prevent regular users from changing MSI installation options

Active Directory Policies

GPO to prevent autoplay on non-volume devices

Active Directory Policies

Prevent remote logon for local accounts with blank password - GPO


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.