Basically my scenario is that I have one forest and the root domain of the forest is jasebert.com. I then have 5 second level child domains names me.jasebert.com, you.jasebert.com etc.
What I need to do is allow users of say me.jasebert.com to administer group policy in you.jasebert.com. Now this in itself can be easily done, however I can not give the group policy admins Enterprise Admin access.
So basically can I confirm that I am on the right track.
I create a Universal Group named say “Delegated gp admins” in the root domain. I then create a Global Group in me.jasebert.com called “GG Delegated gp Admins” and add the users to that group. After that I add this global group to the Universal Group.
In the you.jasebert.com domain I then create “”GG Delegated gp Admins” and add the “GG Delegated gp Admins” into the GP objects I wish them to administer. I then add this group to the Universal Group also.
The Domains and Forest functional level is all on W2k3 so Universal groups can be used.