Solved

Advanced Group Policy Management Install

Posted on 2016-07-24
3
38 Views
Last Modified: 2016-07-25
I will be installing AGPM in our environment and account to the install guides online you need to install the application under a domain admin account but for the service account you can you a least prividge approach and added the account to the Backup Operators and GP Creator groups..

https://technet.microsoft.com/en-us/itpro/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40

If I am understand everything correctly one thing about the GP Creator GP is that is does not grant the user full access of already created GP but will on new GP's is this correct. If so with 100 GP's this will be a problem for me
0
Comment
Question by:compdigit44
  • 2
3 Comments
 
LVL 17

Accepted Solution

by:
Learnctx earned 500 total points
ID: 41726875
Yes, that is correct. In a least privilege setup the AGPM service account will not necessarily have rights to take control and manage any GPO. I am in the same position as you. With hundred's of GPO's, it can be painful. It is easy to script though; just iterate through the GPO's you want to give the AGPM account permissions for and add its group in with rights (you can also just add the account itself in instead of a group).

Set-GPPermissions -Name "GPO Name" -TargetName "Yourdomain\AGPMServiceGroup" -TargetType group -PermissionLevel GpoEditDeleteModifySecurity

Open in new window

0
 
LVL 19

Author Comment

by:compdigit44
ID: 41728573
Great Tip.. How can I dump all GP's my name to a file then have the script add the account needed to each GP?
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 500 total points
ID: 41728635
Obviously the usual disclaimer. Test all scripts in a test lab before you unleash them upon your production environment :)

Get-GPO -All | Select -expand displayname | out-file c:\temp\allgpos.txt

Open in new window

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now