Here's a quick and easy way to delegate the management of existing Group Policy Objects in your domain.
Set-GPPermission -All -Domain "halo.net" -TargetType Group -TargetName "Domain Local – Halo GPO Edit 1" -PermissionLevel GpoEdit
What's going on here then?
-All… well, that tells Set-GPPermission to apply the new Access Control Entry (ACE) to all the GPOs in the domain
-Domain… our target domain
-TargetType… the security principal associated with the new delegated permission (User / Group / Computer)
-TargetName… the name of the security principal
-PermissionLevel… the delegated permission granted to the security principal
The values accepted by the -PermissionLevel parameter are listed below:
If a permission level already exists on your GPOs for your target security principal then you can use the -Replace switch to update the existing permission with the new permission.
Here's how to set the permission on a single GPO. This time the -All parameter is replaced by -Name and the name of the target GPO is supplied. You can also use -Guid rather than -Name.
Set-GPPermission -Name "Test_GPO" -Domain "halo.net" -TargetType Group -TargetName "Domain Local – Halo GPO Read 1" -PermissionLevel GpoRead