JSI Tip 5473. How do I delegate control of Group Policy to members of a trusted domain?

Jerold Schulman

June 24, 2002

1 Min Read
ITPro Today logo in a gray background | ITPro Today

In tip 2882, we saw that to the delegee must be a member of the Group Policy Creator Owners security group to receive the permission to modify / add / delete Group Policy.

Users in another domain can NOT be added to the Group Policy Creator Owners security group.

Here is a workaround:

  1. Use Active Directory Users and Computers to create a domain local group in the domain that you want these permissions.

  2. Add a user or users from the trusted domain to this new group.

  3. In Active Directory Users and Computers, expand Systems. Right-click Policies and press Properties. Select the Security tab.

  4. Add the new domain local group, and grant it Create All Child Object permissions.

  5. Use Windows Explorer to navigate to the %systemroot%SysvolDomainPolicies folder and press Properties. Select the Security tab.

  6. Add the new domain local group and grant it Modify, Read & Execute, List Folder Contents, Read, and Write permissions.

  7. Right-click the organizational unit and press Delegate Control.

  8. Add the new domain local group and check the delegate the following common tasks radial button. Check the Manage Group Policy Links box.

  9. Close Active Directory Users and Computers.

  10. Open a CMD prompt and type: secedit /refreshpolicy machine_policy /enforce



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like