Before you delegate administrative control over a Group Policy Object (GPO), you need to grant the appropriate group the right to log on locally as well as read/write access to the Sysvol.

In order to manage group policies, you must have access to a domain controller (DC) for the Active Directory (AD) in which the Group Policy Object (GPO) resides. This means that your account or group membership must give you the right to log on locally to the DC. If your account is a member of the Domain Admins or Administrators group on the DC, you already have this right. While you could add this right to individual users who need to manage group policies, granting rights through individual accounts is not a recommended practice. Instead, create a security group and grant that group the right to log on locally. Then place individual user accounts in the security group as needed.

You define the ability of non-administrative accounts and groups to log on locally through the Default Domain Controller GPO, which is linked by default to the Domain Controllers OU in Active Directory. To grant additional groups (such as delegated administrators) the right to log on locally:

  1. Start the Active Directory Users and Computers console to create the security group to which you want to grant the right for local logon.
  2. When the console starts, expand the domain, right-click Domain Controllers, and choose Properties.
  3. In the Domain Controller’s property sheet, click the Group Policy tab, select Default Domain Controllers Policy, and click Edit.
  4. In the resulting Group Policy console, select the branch Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment.
  5. Double-click Allow log On Locally and use the resulting Security Policy Setting dialog box to add or remove security groups as needed.

You also need Read/Write permission in the DC’s Sysvol folder to make changes to objects in the AD. If you’re configuring group policy delegation, configure permissions for the Sysvol folder to allow the delegated administrators Read/Write access to the folder.
The final installment of this article will describe how to use the Delegation of Control Wizard to delegate control over a GPO.