You have to operate a SharePoint web application and you would like to delegate Full Control permissions to your operating team.
You create a new security group in your domain (let’s say “SharePoint Operators”) and you want to let this group operate as SharePoint\system.
You create a new user policy and add your “SharePoint Operators” domain group as user, set Full Control and “Account operates as System”
The you get the following error:
Only user accounts belonging to the "All" zone can be designated as System.
This error is misleading here, it want’s to tell you: This does not work with domain security groups, only with single domain users. So you have to add every user of your domain group “SharePoint Operators” separately.
This will work but creates a separate policy for every single user you add here.