Group Policy editors from a different domain

Discussion in 'Active Directory' started by bolo, May 3, 2006.

  1. bolo

    bolo Guest

    Hi all,

    I would like to grant permission to a user who is in X domain to create,
    link modify and delete group policy objects in Y domain. I don't want to
    delegate him full control for the whole domain. I have found the "Group
    Policy Creator Owners" builtin group which members can do this work, but
    unfortunately this group is a global group, and therefore I can not put my
    account into this group from another domian. (The domains are in the same
    How can I grant GPO editor permissions to a user from a different domain?

    bolo, May 3, 2006
    1. Advertisements

  2. bolo

    Akn Guest

    Paul Williams had answered a similar question few days back, i've copy-pasted
    it here ---

    "GPOs are created under CN=Policies, CN=System, DC=domain-name, DC=com. You
    will need to grant the create groupPolicyContainer permission here.
    You only need to grant the permission to modify the gPLink attribute on the
    OU in question."

    So go ahead and give permisisons to user in Y domain to the "Policies"
    container in the X domain and then grant the permission to modify the gPLink
    attribute on the required OU.

    I'm sure this shud work....haven't tested myself.
    Do test it out and let know.

    Akn, May 3, 2006
    1. Advertisements

  3. bolo

    bolo Guest


    With this method the user can not modify the group policy objects, which was
    created previously by another user. I want grant him full control of the
    group policy objects.
    Any other idea?
    bolo, May 4, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.