Delegating Group Policy Modeling Permission

Delegate Permissions

1. Open Group Policy Management Console (GPMC), navigate to the OU you want to delegate permissions for Group Policy Modeling.

2. In the results pane on the right, click on the Delegation tab.

3. In Permission drop down list, select Perform Group Policy Modeling Analyses

image

4. Click the Add button at the bottom. It would bring the up the Select User, Computer, or Group window.

5. Enter the name of the object to which you want to delegate permissions and click OK

6. In the Add Group or User dialog box, select the Permission level and click OK

image

 

COM Permissions

In some cases, user still get error message:  Group Policy Modeling Wizard: "Access is denied" . This is because of the COM Permissions.

1. On the domain controller, you’re connecting to, Open Component Services. Start – Run – type DCOMCNFG and hit Enter.

2. Expand Component Services –> Computers –> My Computer

3. Right click on My Computer and choose Properties

image

4. On the COM Security tab, click Edit Limits in the Launch and Activation Permissions field.

5. Click the user name in the Group or user names field that you want to be able to run the Group Policy Modeling Wizard, and then click to select Allow for the Remote Activation permission.

6. Click OK two times.

Group Policy – Same setting can be implement via group policy if there are multiple Domain controllers.

Group Policy Setting: – Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options – [DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax.

Edit the setting and add the required AD account and click Allow.