In tip 2882, we saw that to the delegee must be a member of the Group Policy Creator Owners security group to receive the permission to modify / add / delete Group Policy.
Users in another domain can NOT be added to the Group Policy Creator Owners security group.
Here is a workaround:
- Use Active Directory Users and Computers to create a domain local group in the domain that you want these permissions.
- Add a user or users from the trusted domain to this new group.
- In Active Directory Users and Computers, expand Systems. Right-click Policies and press Properties. Select the Security tab.
- Add the new domain local group, and grant it Create All Child Object permissions.
- Use Windows Explorer to navigate to the %systemroot%\Sysvol\Domain\Policies folder and press Properties. Select the Security tab.
- Add the new domain local group and grant it Modify, Read & Execute, List Folder Contents, Read, and Write permissions.
- Right-click the organizational unit and press Delegate Control.
- Add the new domain local group and check the delegate the following common tasks radial button. Check the Manage Group Policy Links box.
- Close Active Directory Users and Computers.
- Open a CMD prompt and type: secedit /refreshpolicy machine_policy /enforce