How to Delegate Group Policy Control to users in Trusted Domain (294777)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
This article was previously published under Q294777

SUMMARY

If a member of a trusted domain requires permission to add, delete, or modify a group policy, that member must be a member of the Group Policy Creator Owners security group. The Group Policy Creator Owners security group is a global group that contains domain members, and the security group is used to assign the rights to modify a Domain Group Policy.

MORE INFORMATION

By default, users in another domain cannot be added to the Group Policy Creator Owners security group. However, you can use the following method to work around this default behavior:
  1. Start Active Directory Users and Computers, and then create a domain local group in the domain that you want permissions to modify.
  2. Add a user from the trusted domain to the new group.
  3. In Active Directory Users and Computers, expand Systems, right-click Policies, click Properties, and then click the Security tab.
  4. Add the domain local group, and then grant this group Create All Child Object permissions.
  5. Locate the %systemroot%\Sysvol\Domain folder, right-click the Policies folder, click Properties, and then click the Security tab.
  6. Add the domain local group, and then grant this group Modify, Read, List, Read, and Write permissions.
  7. Right-click the organizational unit, and then click Delegate Control.
  8. Add the domain local group, and then click delegate the following common tasks: Manage Group Policy Links.
  9. Close Active Directory Users and Computers, open a command prompt, and then type the following: secedit /refreshpolicy machine_policy /enforce
Modification Type:MajorLast Reviewed:12/18/2003
Keywords:kbenv kbinfo KB294777
©2003 Microsoft Corporation. All rights reserved.