JSI Tip 5473. How do I delegate control of Group Policy to members of a trusted domain?

In tip 2882, we saw that to the delegee must be a member of the Group Policy Creator Owners security group to receive the permission to modify / add / delete Group Policy.

Users in another domain can NOT be added to the Group Policy Creator Owners security group.

Here is a workaround:

  1. Use Active Directory Users and Computers to create a domain local group in the domain that you want these permissions.


  2. Add a user or users from the trusted domain to this new group.


  3. In Active Directory Users and Computers, expand Systems. Right-click Policies and press Properties. Select the Security tab.


  4. Add the new domain local group, and grant it Create All Child Object permissions.


  5. Use Windows Explorer to navigate to the %systemroot%\Sysvol\Domain\Policies folder and press Properties. Select the Security tab.


  6. Add the new domain local group and grant it Modify, Read & Execute, List Folder Contents, Read, and Write permissions.


  7. Right-click the organizational unit and press Delegate Control.


  8. Add the new domain local group and check the delegate the following common tasks radial button. Check the Manage Group Policy Links box.


  9. Close Active Directory Users and Computers.


  10. Open a CMD prompt and type: secedit /refreshpolicy machine_policy /enforce


Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish