Recently A department within the School wanted to leverage the capabilities that we currently provide many other departments. They currently run their own domain, and they needed the same amount of control if they were to migrate over to our domain. Of course the “easy” button here is the Delegation of Control Wizard (http://technet.microsoft.com/en-us/magazine/2007.02.activedirectory.aspx). This gives you the ability to grant a user in your domain or another trusted domain the ability to administer all or a portion of the objects within an OU.
Now, while your newly created OU Admin can create user accounts, computer accounts, organizational units and groups, she does not get the ability to create Group Policies. If you gave the account Full Control you can check permissions on the OU you will see that Create and Delete GroupPolicyContainer (http://technet.microsoft.com/en-us/windowsserver/cc817587.aspx) objects are checked Allowed. When your admin attempts to create a group policy or run the modeling wizard it will fail with “Access is Denied.”
This is because while she has Full Control at the OU level, her account needs to be added to the Group Policy Objects container in the GPMC interface. Once you have added the account there, your admin will now be able to create/edit/delete gpo’s.
Patton Tech Blog - Original Content
Maheshkumar S Tiwari edited Revision 4. Comment: Added tags
Jeffrey S. Patton edited Revision 3. Comment: Moved blog to a new platform, updated URLs
Ed Price MSFT edited Revision 2. Comment: Updated title casing and References section. Also clarified that links are external to Wiki.