- domain admin
- enterprise admin
- creator owner - same level as domain admin but within delegated scope
- local system
read/apply : authenticated users
grant additional permissions
- create : add to GP creator/owner or GPMC permissions
- editL r./w via GPMC
- link mgmt: delegation in GPMC or DOCW (right-click OU for delegation wizard)
- modeling/results: delegation in GPMC or DOCW
Group policy Creator Owner - allows access to all GP in domain or narrow it down to OU level
Granting GPO permissions via GPMC
delegation tab limited in only link GPO and modeling/analysis.
but Advanced option allows for granular permissions for GPOs.