We help IT Professionals succeed at work.

Advanced Group Policy Management Install

compdigit44
compdigit44 asked
on
I will be installing AGPM in our environment and account to the install guides online you need to install the application under a domain admin account but for the service account you can you a least prividge approach and added the account to the Backup Operators and GP Creator groups..

https://technet.microsoft.com/en-us/itpro/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40

If I am understand everything correctly one thing about the GP Creator GP is that is does not grant the user full access of already created GP but will on new GP's is this correct. If so with 100 GP's this will be a problem for me
Comment
Watch Question

Yes, that is correct. In a least privilege setup the AGPM service account will not necessarily have rights to take control and manage any GPO. I am in the same position as you. With hundred's of GPO's, it can be painful. It is easy to script though; just iterate through the GPO's you want to give the AGPM account permissions for and add its group in with rights (you can also just add the account itself in instead of a group).

Set-GPPermissions -Name "GPO Name" -TargetName "Yourdomain\AGPMServiceGroup" -TargetType group -PermissionLevel GpoEditDeleteModifySecurity

Open in new window

Author

Commented:
Great Tip.. How can I dump all GP's my name to a file then have the script add the account needed to each GP?
Obviously the usual disclaimer. Test all scripts in a test lab before you unleash them upon your production environment :)

Get-GPO -All | Select -expand displayname | out-file c:\temp\allgpos.txt

Open in new window