A. The Group Policy Creator Owners group lets its members create new GPOs. However, those members can only edit or delete GPOs that they have created. The Group Policy Creator Owners group also has no permission to link GPOs to a container such as a domain or OU; that permission still must be manually given. To add a user or group, simply open the Group Policy Creator Owners group, which is in the Users container of the domain, and add as required.

This group is an easy and supported way to give non-administrators the ability to create GPOs. There’s another option, too: If you select the Group Policy Objects container for the domain in the GPMC and select the Delegation tab in the details pane, you’ll see a list of all the users and groups that have rights to create GPOs in the domain. Notice the Group Policy Creator Owners group.

To add other users and groups, click Add and enter the user/group name. There is some risk that delegated users might create many GPOs. A better option might be to have administrators create the GPO specific for an OU (e.g., JLeague_GPO_Custom), then delegate the Justice League GPO administrators the ability to edit that GPO.