we need to have Administrative privileges to create/modify group policies. The following table shows that can create/modify group policies:
|
Policy Type |
Allowable Groups / Users |
|
Site Level Group Policies |
Enterprise Administrators and/or Domain Administrators in the root domain. The root domain is the first domain created in a tree or forest. The Enterprise Administrators group is found only in the root domain. |
|
Domain Level Group Policies |
Enterprise Administrators, Domain Administrators or members of the built-in group – Group Policy Creator Owners. By default only the Administrator user account is a member of this group |
|
OU Level Group Policies |
Enterprise Administrators, Domain Administrators or members of the Group Policy Creator Owners. By default only the Administrator user account is a member of this group. Additionally, at the OU level, users can be delegated control for the OU Group Policies by starting the Delegate Control Wizard (right click the OU and choose Delegate Control). However, the wizard only allows the delegated user to Link already created group policies to the OU. If you want to give the OU administrators control over creating/modifying group policies, add them to the Group Policy Creator Owners group for the domain. |
|
Local Group Policies |
The local Administrator user account or members of the local Administrators group. |