Location: Mail List

Ads

Skyscraper

The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy.  The Archives for this list can be found on this page.

 

List Posts

Forums >GPTalk >GPTalk Mailing List
Subject: [gptalk] AGPM: Best Practice
Prev Next
You are not authorized to post a reply.

AuthorMessages
DarraghOShaughnessyUser is Offline

Posts:161

08/06/2010 4:15 PM  
Hey guys,



Just evaluation AGPM 4.0 on windows 2008 R2. Just interested in what
other people are doing with it. What I am interested in is controlling
as much as possible from AGPM and preventing changes to GPOS outside of
that. That doesn't seem possible really from what I have read. Consider
the following scenario





1) Service running under user account that is a member of
'domain\backup operators' and 'Domain\Group Policy Creator Owners'
groups as is best practice for least privilege

2) This account also has full control over %systemroot%\temp and
the archive folder

3) We add the agpm service account to all gpos in productions and
grant it full contro. We do this using gpmc scripting to make life
easier

4) We whish to have a group 'domain\agpm_admins' that is delegated
full control over all GPO's so we set that on the 'Domain Delegation'
tab in AGPM. Now all controlled GPOS will be under the control of this
group.

5) We also wish to prevent deployed GPOS being altered outside of
AGPM so we remove 'Domain Admins' and 'Enterprise Admins' from the
'Production Delegation' tab



Creating GPO:

In order for AGPM to deploy gpos, it must have the right to create them
in production i.e. the domain. To do this, the easiest thing it so add
the service account to the 'Group Policy Creator owners' group and
remove all other members.



Linking GPOS:



Now, my query is as follows:



With these settings in place, how can a delegated user in the
'AGPM_admins' group link a GPO? The underlying service account has this
right to link GPOS in the domain via membership in the 'Group Policy
Creator Owner' group. So really, we are only delegating editing
permissions on the production GPO i.e. if the production GPO were to be
edited through GPMC as opposed to AGPM? We still need another account to
link it to a GPO? I understand that linking a GPO is an attribute of the
OU not the GPO but I'd expect that because the underlying account has
this permission it could delegate it. Maybe you guys could help me out
with this.



Also, because the link is an attribute of the OU, 'Domain Admins' and
other members of the 'Group Policy Create Owners' group can still link
GPOS outside of AGMP. This is fine I guess as domain admins should
adhere to company policies regarding editing GPO. I can also remove all
other members of the 'Group Policy Creator Owners' group apart from my
service account.





Worse still, it seems that 'Domain Admins' can delete GPO's which they
should not have permission to. I must be missing something here because
they can't edit them (as expected as they are not delegated this
permission from AGPM when the GPO is deployed. Even if you look at the
effective permissions on the GPO, it will list nothing for 'Domain
Admins' yet they can still delete them. Strange





I've checked the DACL on the folder in the sysvol and the GPC and domain
admins have no access other than read yet they still can delete??

Regards,



Darragh O'Shaughnessy

IT Services Department



E-Mail: xxxxxxxxxxxxxxxx



Ext: 2562

Direct Dial In: 01-7994028



Web Site: www.vhi.ie



Help the environment. If you need to print this email consider using Eco
Font to save ink: http://www.ecofont.eu/ecofont_en.html





This e-mail and any files transmitted with it contain information which
may be confidential and which may also be privileged and is intended
solely for the use of the individual or entity to whom it is addressed.
Unless you are the intended recipient you may not copy or use it, or
disclose it to anyone else. Any opinions expressed are that of the
individual and not necessarily that of Vhi Healthcare. If you have
received this e-mail in error please notify the sender by return. This
footnote also confirms that this e-mail message has been Swept for the
presence of computer viruses.




You are not authorized to post a reply.
Forums >GPTalk >GPTalk Mailing List > [gptalk] AGPM: Best Practice



ActiveForums 3.7

Members

MembershipMembership:
Latest New UserLatest:larrys
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:1340
People OnlinePeople Online:
VisitorsVisitors:0
MembersMembers:0
TotalTotal:0
Online NowOnline Now:

Ads

Banner Inv
Copyright 2009 by GPOGUY.COM
Terms Of Use