Advanced Group Policy Management Install

I will be installing AGPM in our environment and account to the install guides online you need to install the application under a domain admin account but for the service account you can you a least prividge approach and added the account to the Backup Operators and GP Creator groups..

https://technet.microsoft.com/en-us/itpro/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40

If I am understand everything correctly one thing about the GP Creator GP is that is does not grant the user full access of already created GP but will on new GP's is this correct. If so with 100 GP's this will be a problem for me
LVL 20
compdigit44Asked:
Who is Participating?
 
LearnctxEngineerCommented:
Yes, that is correct. In a least privilege setup the AGPM service account will not necessarily have rights to take control and manage any GPO. I am in the same position as you. With hundred's of GPO's, it can be painful. It is easy to script though; just iterate through the GPO's you want to give the AGPM account permissions for and add its group in with rights (you can also just add the account itself in instead of a group).

Set-GPPermissions -Name "GPO Name" -TargetName "Yourdomain\AGPMServiceGroup" -TargetType group -PermissionLevel GpoEditDeleteModifySecurity

Open in new window

0
 
compdigit44Author Commented:
Great Tip.. How can I dump all GP's my name to a file then have the script add the account needed to each GP?
0
 
LearnctxEngineerCommented:
Obviously the usual disclaimer. Test all scripts in a test lab before you unleash them upon your production environment :)

Get-GPO -All | Select -expand displayname | out-file c:\temp\allgpos.txt

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.