[gptalk] Re: Group Policy delegation
- From: "Tony Murray [HIQ]" <Tony.Murray@xxxxxxxxxx>
- To: gptalk@xxxxxxxxxxxxx
- Date: Fri, 30 Mar 2007 14:25:36 +1200
Just a quick update. I completed the delegation setup in the lab and all is
working fine. A couple of things I noticed:
1. Watch out for the permissions assigned to the owner/creator of a new
GPO. For example, I modify the default security descriptor of
groupPolicyContainer objects so that the Domain Admins group has only Read
permissions on new GPOs. If I then create a new GPO using an account that is
a member of Domain Admins, the new GPO will assign Domain Admins "Edit
settings, delete, modify security" rights through owner/creator permissions
assignment. Ideally it would be good avoid this scenario by proxying the
creation of all new GPOs through an account that is only a member of the
delegated "Group Policy Admins" group.
2. If you want to assign LinkGPOs permissions to a group for a particular
AD site using SetSOMPermission.wsf you will need to pass the full DN in the
case of a naming conflict. The script doesn't offer you the DN as an option,
but you can still add it using the syntax shown in the example below.
cscript SetSOMPermissions.wsf
"LDAP://CN=SITE1,CN=Sites,CN=Configuration,DC=MYCO,DC=COM" "Group Policy
Admins" /Permission:LinkGPOs
Tony
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tony Murray [HIQ]
Sent: Wednesday, 28 March 2007 08:44
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy delegation
PowerShell - I like it!
Thanks Thorbjörn and Darren. Helpful comments as always.
Tony
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Thorbjörn Sjövold
Sent: Wednesday, 28 March 2007 06:15
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy delegation
Tony,
As Darren already said, you are pretty much covering it and if being a Group
Policy Muppet is your level, the world would be a nice place to live in ;)
Anyway, to follow up on Darrens post, if you want to script it, there is a way
to delegate WMI filter creation using the GPMC scripting interfaces, you can
use the PermSOMWMICreate constant when targeting the Domain (it does not work
with any other SOMs for obvious reasons) to accomplish this.
I've put together a small PowerShell code snippet that you can use in a
function, script or just directly line by line from the CLI etc to make this
happen. You might want to test it and put some error handling in it before
running it live :)
############################################################
$domainName = "Microsoft.com" # The name of the domain to operate on
$groupToAdd = "microsoft\domain users" # The group or user to grant the
permissions to create WMI filters.
$gpm = New-Object -ComObject GPMgmt.GPM # Create the GPMC Main object
$gpmConstants = $gpm.GetConstants() # Load the GPMC constants
$gpmDomain = $gpm.GetDomain($domainName, "", $gpmConstants.UseAnyDC) # Connect
to the domain passed using any DC
$gpmSom = $gpmDomain.GetSOM("") # Get the Scope Of Management for the domain
$gpmSecurityInfo = $gpmSom.GetSecurityInfo() # Load the current delegation
settings for the domain level
$gpmPermission = $gpm.CreatePermission($groupToAdd,
$gpmConstants.PermSOMWMICreate, $false); # Create the security setting for
creating WMI filters
$gpmSecurityInfo.Add($gpmPermission) # Add the new group to the exsting ones
$gpmSom.SetSecurityInfo($gpmSecurityInfo) # Commit the changes
############################################################
HTH,
Thorbjörn Sjövold
_______________________________________________
S p e c i a l O p e r a t i o n s S o f t w a r e
Torsgatan 8 +46(0)8-52463400
111 23 Stockholm +46(0)70-7104452
w w w . s p e c o p s s o f t . c o m
<http://www.specopssoft.com>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: den 27 mars 2007 15:57
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Group Policy delegation
Tony-
That is pretty complete, I would say. I don't think you've missed much of
anything. In #3, the ability to link also may include rights on the gpOptions
attribute, which controls the Block Inheritance flag. There is also the ability
to delegate creation of WMI Filters in the domain. That can be done via GPMC
console-not sure if there's a scripting interface for it. And, then the linking
of a filter to a GPO is wrapped up in your GPO delegation so that is covered
below.
Outside of that, nothing else comes to mind.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Tony Murray [HIQ]
Sent: Monday, March 26, 2007 3:25 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy delegation
Hi all
I'm just in the process of planning Group Policy delegation and could benefit
from your advice about the approach. I want to delegate administration of
Group Policy to the "Group Policy Admins" role (actually an AD group). I may
also want more granular delegation in the future.
As I see it there are three areas where delegation is relevant.
1. Delegated permission to create GPOs.
2. Delegation permissions on individual GPOs.
3. Delegated Group Policy-related permissions on SOMs (OUs, Domains
and Sites).
Taking each of these in turn....
1. Delegated permission to create GPOs.
This appears to be relatively straightforward. I simply modify the Delegation
tab on the Group Policy Objects container within the GPMC. Alternatively I
can use the SetGPOCreationPermissions.wsf script sample.
2. Delegation permissions on individual GPOs.
This is split into two parts: new GPOs and existing GPOs.
a) New GPOs. I can modify the default security descriptor for
groupPolicyContainer objects by following the guidelines in
http://support.microsoft.com/default.aspx?scid=kb;en-us;321476.
b) Existing GPOs. I can modify the permissions for all GPOs within a
domain by using the GrantPermissionOnAllGPOs.wsf script sample.
3. Delegated Group Policy-related permissions on SOMs.
This involves assigning the "Group Policy Admins" group the ability to:
* Link GPOs to a given site, domain or OU.
* Perform Group Policy Modelling analysis on a given domain or OU
(but not on a site).
* Read Group Policy Results data for objects within a given domain
or OU (but not a site).
I can use the SetSOMPermissions.wsf to do this.
That's as far as I have got. Before I started setting this up in the lab and
testing I thought I would check here to see if I have the approach right.
Anything I should be doing differently? Any shortcuts I am missing? Better
ways of setting up the delegation?
Tony
Directory Services MVP (and Group Policy Muppet).
________________________________
This email or attachment(s) may contain confidential or legally privileged
information intended for the sole use of the addressee(s). Any use,
redistribution, disclosure, or reproduction of this message, except as
intended, is prohibited. If you received this email in error, please notify the
sender and remove all copies of the message, including any attachments. Any
views or opinions expressed in this email (unless otherwise stated) may not
represent those of HealthIntelligence (HIQ Ltd).
http://www.healthintelligence.org.nz <http://www.healthintelligence.org.nz>
(1H_S1)
No Viruses were detected in this message.
________________________________
HealthIntelligence <http://www.healthintelligence.org.nz> eMail Filter Service
________________________________
No Viruses were detected in this message.
________________________________
HealthIntelligence <http://www.healthintelligence.org.nz> eMail Filter Service
________________________________
No Viruses were detected in this message.
________________________________
HealthIntelligence <http://www.healthintelligence.org.nz> eMail Filter Service
________________________________
No Viruses were detected in this message.
________________________________
HealthIntelligence <http://www.healthintelligence.org.nz> eMail Filter Service
No Viruses were detected in this message.
HealthIntelligence eMail Filter Service
Other related posts:
