![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 51%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOE%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Yes - by default, non-privileged users do not have permissions to edit domain-based GPOs. To delegate this permission, modify the Delegation settings on the specific Group Policy Object (GPO). Here’s how you can do it in Traditional Active Directory (on-premises):
- Open the Group Policy Management Console (GPMC):
- Run
gpmc.mscon a domain-joined machine.
- Run
- Locate the GPO:
- Navigate to Forest → Domains → YourDomain → Group Policy Objects.
- Right-click the GPO you want to manage and select Edit or Delegation depending on the step.
- Modify Delegation Settings:
- Go to the Delegation tab of the GPO.
- Here, you can Add a user or group and assign them specific permissions such as:
- Read – Can view the GPO.
- Edit settings – Can modify the GPO.
- Delete – Can delete the GPO.
- Modify Security – Can change GPO permissions.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin