Which two actionsshould you perform?

Your company has an Active Directory forest.
The company has branch offices in three locations.
Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs only to
their respective organizational units.
Which two actionsshould you perform?
(Each correct answer presents part of the solution. Choose two.)

Your company has an Active Directory forest.
The company has branch offices in three locations.
Each location has an organizational unit.
You need to ensure that the branch office administrators are able to create and apply GPOs only to
their respective organizational units.
Which two actionsshould you perform?
(Each correct answer presents part of the solution. Choose two.)

A.
Run the Delegation of Control wizard and delegatethe right to link GPOs for their branch organizational
units to the branch office administrators.

B.
Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.

C.
Modify the Managed By tab in each organizational unit to add the branch office administrators to their
respective organizational units.

D.
Run the Delegation of Control wizard and delegatethe right to link GPOs for the domain to the branch office
administrators.

Explanation:
Answer.Run the Delegation of Control wizard and delegatethe right to link GPOs for their branch
organizational units to the branch office administrators.
Add the user accounts of the branch office administrators to the Group Policy Creator Owners Group.
http://technet.microsoft.com/en-us/library/cc732524.aspx
Delegate Control of an Organizational Unit
1. To delegate control of an organizational unit
2. To open Active Directory Users and Computers, click Start , click Control Panel , double-click Administrative
Tools and then double-click Active Directory Usersand Computers .
3. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
Where?
Active Directory Users and Computers\ domain node \ organizational unit
4. Click Delegate Control to start the Delegation ofControl Wizard, and then follow the instructions in the
wizard.
http://technet.microsoft.com/en-us/library/cc781991%28v=ws.10%29.aspx
Delegating Administration of Group Policy
Your Group Policy design will probably call for delegating certain Group Policy administrative tasks.
Determining to what degree to centralize or distribute administrative control of Group Policy is one of the most
important factors to consider when assessing the needs of your organization. In organizations that usea
centralized administration model, an IT group provides services, makes decisions, and sets standards for the
entire company. In organizations that use a distributed administration model, each business unit manages its
own IT group.
You can delegate the following Group Policy tasks:
Creating GPOs
Managing individual GPOs (for example, grantingEdit or Read access to a GPO)
etc.

Delegating Creation of GPOs
The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only
Domain Administrators, Enterprise Administrators, Group Policy Creator Owners, and SYSTEM can create
new Group Policy objects. If the domain administrator wants a non-administrator or non-administrative group
to be able to create GPOs, that user or group can be added to the Group Policy Creator Owners securitygroup.
Alternatively, you can use the Delegation tab on the Group Policy Objects container in GPMC to delegate
creation of GPOs. When a non-administrator who is amember of the Group Policy Creator Owners group
creates a GPO, that user becomes the creator owner of the GPO and can edit the GPO and modify
permissions on the GPO. However, members of the Group Policy Creator Owners group cannot link GPOs to
containers unless they have been separately delegated the right to do so on a particular site, domain,or OU.
Being a member of the Group Policy Creator Owners group gives the non-administrator full control of only
those GPOs that the user creates. Group Policy Creator Owner members do not have permissions for GPOs
that they do not create.
Note:When an administrator creates a GPO, the Domain Administrators group becomes the Creator Owner of
the Group Policy object. By default, Domain Administrators can edit all GPOs in the domain.
The right to link GPOs is delegated separately fromthe right to create GPOs and the right to edit GPOs. Be
sure to delegate both rights to those groups you want to be able to create and link GPOs. By default, nonDomain Admins cannot manage links, and this prevents them from being able to use GPMC to create and link
a GPO. However, non-Domain Admins can create an unlinked GPO if they are members of the Group Policy
Creator Owners group. After a non-Domain Admin creates an unlinked GPO, the Domain Admin or someone
else who has been delegated permissions to link GPOs an a container can link the GPO as appropriate.
Creation of GPOs can be delegated to any group or user. There are two methods of granting a group or user
this permission:
Add the group or user to the Group Policy Creator Owners group. This was the only method available
prior to GPMC.
Explicitly grant the group or user permission to create GPOs. This method is newly available with GPMC.
You can manage this permission by using the Delegation tab on the Group Policy objects container for agiven
domain in GPMC. This tab shows the groups that havepermission to create GPOs in the domain, includingthe
Group Policy Creator Owners group. From this tab, you can modify the membership of existing groups that
have this permission, or add new groups.
Because the Group Policy Creator Owners group is a domain global group, it cannot contain members from
outside the domain. Being able to grant users permissions to create GPOs without using Group Policy Creator
Owners facilitates delegating GPO creation to usersoutside the domain. Without GPMC, this task cannotbe
delegated to members outside the domain.
If you require that users outside the domain have the ability to create GPOs, create a new domain local group in
the domain (for example, “GPCO – External”), grant that group GPO creation permissions in the domain, and
then add domain global groups from external domainsto that group. For users and groups in the domain,you
should continue to use the Group Policy Creator Owners group to grant GPO-creation permissions.
Adding a user to the membership of Group Policy Creator Owners and granting the user GPO-creation
permissions directly using the new method availablein GPMC are identical in terms of permissions.



Leave a Reply 0

Your email address will not be published. Required fields are marked *