Microsoft KB Archive/294777

= How to Delegate Group Policy Control to users in Trusted Domain =

Article ID: 294777

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q294777



SUMMARY
If a member of a trusted domain requires permission to add, delete, or modify a group policy, that member must be a member of the Group Policy Creator Owners security group. The Group Policy Creator Owners security group is a global group that contains domain members, and the security group is used to assign the rights to modify a Domain Group Policy.



MORE INFORMATION
By default, users in another domain cannot be added to the Group Policy Creator Owners security group. However, you can use the following method to work around this default behavior:
 * 1) Start Active Directory Users and Computers, and then create a domain local group in the domain that you want permissions to modify.
 * 2) Add a user from the trusted domain to the new group.
 * 3) In Active Directory Users and Computers, expand Systems, right-click Policies, click Properties, and then click the Security tab.
 * 4) Add the domain local group, and then grant this group Create All Child Object permissions.
 * 5) Locate the %systemroot%\Sysvol\Domain folder, right-click the Policies folder, click Properties, and then click the Security tab.
 * 6) Add the domain local group, and then grant this group Modify, Read, List, Read, and Write permissions.
 * 7) Right-click the organizational unit, and then click Delegate Control.
 * 8) Add the domain local group, and then click delegate the following common tasks: Manage Group Policy Links.
 * 9) Close Active Directory Users and Computers, open a command prompt, and then type the following: secedit /refreshpolicy machine_policy /enforce

Keywords: kbinfo kbenv KB294777

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.