Jeff Shafer
asked on
Cannot restore a GPO - Access Denied
I have a group of admins who didn't need to be Domain Admins. I removed them from the group and delegated permissions as needed. They have Edits settings, delete, modify security permissions to GPOs and can backup a GPO via the GPMC, but they cannot restore the GPO. Does anyone know the rights I need to grant and to what container to allow them to restore GPOs? Thanks.
ASKER
Thanks for the reply! What permissions exactly should they have?
This doc https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/restore-a-deleted-gpo says:
•By default, you must be an Editor, an Approver, or an AGPM Administrator (Full Control) to perform this procedure.Specifically, you must have List Contents and either Edit Settings, Deploy GPO, or Delete GPO permissions for the GPO.
They have Edit settings listed in the GMPC. They have List on the container itself looking at the ACL. We do not use AGPM which I believe the rest applies to.
This doc https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/agpm/restore-a-deleted-gpo says:
•By default, you must be an Editor, an Approver, or an AGPM Administrator (Full Control) to perform this procedure.Specifically, you must have List Contents and either Edit Settings, Deploy GPO, or Delete GPO permissions for the GPO.
They have Edit settings listed in the GMPC. They have List on the container itself looking at the ACL. We do not use AGPM which I believe the rest applies to.
ASKER
Yes I looked that have "Write all properties".
Give them full access for a test and retry. Please mind that even permissions are replicated in AD, so allow a replication cycle to pass before you try (half a minute, or so).
ASKER
I would be surprised if Full Control doesn't give them the rights to restore, but I am trying to give them the least number of permissions they need. So I was looking for the exact permission I would need to delegate to restore a GPO.
Please understand how troubleshooting works and do this test. It is a test, it is not a recommended setting. Just a test.
Out of interest, how frequent do they restore a GPO and for what reason?
This is Powershell delegation task I schedule
This is Powershell delegation task I schedule
$grp = "DG-FullControlGPOs"
$level = "GpoEditDeleteModifySecurity"
$gpos = get-gpo -All
foreach ($gpo in $gpos)
{
$gpname = $gpo.DisplayName
set-GPPermissions -Name $gpname -permissionlevel $level -TargetName $grp -targettype Group
}
ASKER
@mcKnife Please refrain from insults. I understand how troubleshooting works, but at the same time I am on this site asking for someone who knows the answer off hand. If you do not know that is fine and I appreciate your input, but don't trash me please. thanks.
I was in no way trying to insult you and I have no idea what makes you think I did.
I had the idea that the permissions of that container need to be checked and the fastest way to find out if those were indeed responsible (and alone responsible) was this test. That's all - please accept my apologies although it was not my intention in the first place.
I had the idea that the permissions of that container need to be checked and the fastest way to find out if those were indeed responsible (and alone responsible) was this test. That's all - please accept my apologies although it was not my intention in the first place.
ASKER
@Shaun Vermaak. Basically this is the desktop group that manages Desktop based GPOs. They are not backing up all of them, they simple back up a particular GPO so they can edit it using PowerBroker tools, then they restore it on top of the old. They apparently cannot edit it directly in the GPMC. Somewhat of an odd approach and one of the reason I am sure they were added to Domain Admins in the past.
I will check out your PowerShell ! Thanks.
I will check out your PowerShell ! Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
For the record: In my test, granting full acess allowed to restore GPOs. Granting only write permissions did not suffice.
Be aware that restoring a GPO that you may modify the files of beforehand entitles you to do pretty much anything in a domain, so be very careful with this delegation.
Be aware that restoring a GPO that you may modify the files of beforehand entitles you to do pretty much anything in a domain, so be very careful with this delegation.
CN=Policies,CN=System,DC=y