The following paragraph could benefit of some tweaking and a screenshot:
"After creating the GPO, you'll want to limit it to only apply to your ConfigMgr server (or servers). To do that select the Delegation tab of the GPO, and click on Advanced button. Select the Authenticated Users security group and then scroll down to the Apply Group Policy permission and un-tick the Allow security setting. This denies authenticated users from applying this GPO setting
Next, click on the Add button, for Select this object type make sure to select Computers from the Object Types and select the group or Computer object that you want to have this policy apply to. Then select the group (e.g. ConfigMgr Servers) and scroll the permission list until you see the Apply group policy option and then tick the Allow permission as shown here."
Where one adds the user (in this case the Configmgr Server), the "Add Group or User" pops out with Read, Edit . It is important to mention here that one should click next and not to change the set 'Read" permission.
kukubau