Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

By default, domain users cannot generate the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration due to insufficient permissions. Only users with local administrator rights on the target computer can remotely access Group Policy Results data.
Figure 1: Gpresult of a domain user
Figure 2: The warning of “Resultant Set of Policy
Figure 3: “Resultant Set of Policy” is being processed
Figure 4: The result of “Resultant Set of Policy
To allow domain users generating the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration, we can delegate the permission for domain users by using GPMC. The permission can be assigned in a domain or organization unit level.
Remark: To delegate the permission, make sure the forest functional level of the domain environment is Windows Server 2003 or later.
Goals
Allow the domain user,Terry, reading the “Group Policy Results” of Computer Configuration in “Win7 Workstations” OU.
Lab environment
  • 1 domain controller named DC02 which is installed Windows Server 2008
  • 1 workstation named W701 which is installed Windows 7 is under Win7 Workstation OU
  • 1 server named FS01 which is installed Windows Server 2008 R2 is under Computer container
  • 1 domain user account named Terry
1. On DC02, log in as Domain Administrator.
2. Launch “Group Policy Management Console“.
3. Expand “Forest > Domains > Domain Name > Win7 Workstations“.
4. Select “Delegation” tab.
5. Next to “Permission“, select “Read Group Policy Results data“.
6. Click “Add“.
7. In “Select User, Computer, or Group” window, enter “Terry“.
8. On “Add Group or User” window, next to “Permissions“, select “This container and all child containers“.
Remark: The child OU of “Win7 workstations” will inherit the permission because “This container and all child containers” is selected.
9. Click “OK“.
10. Click “Advanced“.
11. Next to “Security“, select “Terry“.
The “Generate resultant set of policy” permission is granted Terry.
12. Click “Cancel“.
Now, Terry can generates the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration on workstations which  is under “Win7 Workstations” OU.
Test result
1. On W701, log in as Terry.
2. Launch “Command Prompt“.
3. Perform “gpresult /r“.
The “Group Policy Results” of Computer Configuration can be generated by Terry.
4. Perform “rsop.msc“.
When the “Resultant Set of Policy” is being processed, there is no warning message. Terry can generate “Resultant Set of Policy” of Computer Configuration.
5. Log out W701.
6. On FS01, log in as Terry.

7. Launch “Command Prompt“.
8. Perform “gpresult /r“.

9. Perform “rsop.msc“.
Because the “Generate resultant set of policy” permission isn’t granted on domain level, Terry cannot generate the “Group Policy Results” or “Resultant Set of Policy” of Computer Configuration.
For more information:
Delegation and policy-related permissions
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s