This post is part of following article:
- Advanced Group Policy Management – Introduction
- Advanced Group Policy Management – Server Installation
- Advanced Group Policy Management – Client Installation
- Advanced Group Policy Management – Securing AGPM
Last thing that we should configure in our AGPM are proper permissions. Our goal here is to make your AGPM be an only option for people editing / creating new GPOs. Default installation creates new tab called “Change Control” under Group Policy Management Console interface – using it, you can create or edit controlled policies and… everything will be archived, logged, controlled. So nice!
Our first issue appears here – As a domain admin you can still create or edit group policies using GPMC without AGPM Change Control.
This is default behavior and it’s meant to be like that. Domain-Admins were created to manage domain so they have all permissions anyway, but we can at least secure some of these things.
Step 1. Assign permissions to specific users that you want to manage controlled Group Policies: Log in to your client AGPM installation using our default administrator account (agpm-administrator) and open up GPMC -> Change Control -> “Domain Delegation”
At the bottom click on “Add…” button and add your GP Admins with appropriate roles (Reviewer, Editor, Approver, Full Control). This can be done in Domain Delegation tab or, alternatively in Contents -> Controlled tab per each single Group Policy Object.
Step 2. Switch to “Production Delegation“, and add all accounts that should have permissions to policies deployed using AGPM. You have to include SYSTEM and ENTERPRISE DOMAIN CONTROLLERS. Additionally, we want our AGPM to manage those policies so add AGPM Administrator and AGPM Service Accounts.
As on the image above – 5 groups / accounts are going to be listed on “Permissions” tab on each (deployed) Controlled by AGPM GPO.
Removing option to “Edit” Policies for Domain-Admins outside of AGPM interface
This task shouldn’t be automated since your Domain-Admins group most likely is listed with Specific permissions on some GPOs, so you have to repeat procedure on each GPO manually. For example click on “Default Domain Policy” and go to Delegation tab, then you should see something similar to:
Make sure that there are no special permissions for Domain-Admins group on each policy. As an example take a look on screenshot below:
Some GPOs might have different permissions for groups – in example above Domain-Admin group members are excluded from applying this policy. For this reason you shouldn’t automate removal of this group from all policies, it should be done one by one.
As soon as you delete Domain-Admin group from your GPOs (all of policies that you want to manage using AGPM), these users won’t be able to do any changes unless they use AGPM.
Removing option to create new Policies outside of AGPM interface
To remove the ability to create GPO links for Domain-Admins go to your domain node in GPMC -> Delegation -> Advanced and then open Advanced Security Settings and click on Add. Type in Domain-Admins and then click Check Names, confirm with “OK” button. On the Permission Entry dialog window click Properties and select Deny checkboxes next to Write gPLink and Write gPOptions.
Click OK on all dialog windows until you return to GPMC.
Now, tricky part – what you have done above is not inherited. You have to manually repeat this step on every OU you want to control. At the end we need to take care of “Group Policy Objects” tab, where you can’t set up advanced permissions. Open up ADSIedit console and browse to Default naming context:
Then browse to CN=Policies,CN=System,DC=domain,DC=com, right click, select Properties -> security -> Advanced to open Advanced Security Settings for Policies:
Click on Add buttion to deny permissions for Domain-Admins groups on This Object Only:
And then select only following checkboxes:
This step makes Create option unavailable (grayed out) within GPMC when creating a new policy in Group Policy Objects container. The Delete option remains available for GPOs, however, attempting to delete will end up with an access denied error.
To be honest – give a little bit of trust to your domain admins. Usually I don’t block creation of new policies since they will be listed in AGPM as uncontrolled anyway so I can easily find them and warn those people.
This post ends an article about AGPM installing & configuring. I hope it is described clearly enough, if not – don’t hesitate to leave comments here.