New GPO using c++ program

Question

I am trying to create gpo programatically using IGrouppolicyobject interface

Am running the program in child domain and able to successfully create GPO in child domain.

To create GPO in parent domain, am impersonating (using LogonUser windows function) the parent Domain Admin credential

(impersonation is success and am using LOGON32_LOGON_NEW_CREDENTIALS in LogonUser method to impersonate and even the subsequent ImpersonateLoggedOnUser method also success)

But the gpo creation call (IGrouppolicyobject's New method) fails with Access Denied error code: 80070005

Kindly guide me.

Here is the code..

HANDLE tokHandle = NULL;
BOOL chk = LogonUser("parent domain admin name", "parent domain name", "password", LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_WINNT50, &tokHandle);
if(chk) {
    chk = ImpersonateLoggedOnUser(tokHandle);
    if(!chk)
    {
        //print error code in log
    }
    CloseHandle(tokHandle);
}
else
{
    //print error code in log
}
if(chk) {
    IGroupPolicyObject* gpo = NULL;
    HRESULT hr = CoCreateInstance(CLSID_GroupPolicyObject, NULL, CLSCTX_INPROC_SERVER, IID_IGroupPolicyObject, (LPVOID*)&gpo);
    if (hr==S_OK) {
        hr = gpo->New(L"LDAP://dcname/DC=domain,DC=com", L"gponame", GPO_OPEN_READ_ONLY);
        if(hr!=0) {
            print hr;   //ACCESS DENIED ERROR CODE COMES HERE...
        }
    } else {
        //print error code in log
    }
    if(gpo) gpo->Release();
    RevertToSelf();
}

Answer 1

Finally found the answer.

Seems IGroupPolicyObject new method is mistakenly reverting the impersonation done in the calling thread. So only the impersonation is not taking place. So created a new process with the required credentials to accomplish my task.

Reference: https://shellexecute.wordpress.com/2008/11/18/igrouppolicyobjectnew-will-fail-if-thread-is-impersonating-or-identity-or-delegation/