SECURITY

Windows Server 2008 and Windows Vista : Security Delegation for Administration of GPOs - Default Security Environment

10/26/2013 2:04:48 AM

1. Default Security of the GPMC

The default security configuration for administering Group Policy in Windows Server 2008 is similar to that in Microsoft Windows Server 2003. Of course, the changes from Microsoft Windows 2000 Server to Windows Server 2003 were substantial, because the GPMC was introduced with Windows Server 2003. The GPMC introduced a totally new set of delegations and methods of delegating administration over Group Policy management.

The GPMC is installed on a Windows Server 2008 domain controller by default with some default security delegation that existed in Windows Server 2003.

The default security for administration of Group Policy is divided into six categories:

  • Create GPOs

  • Link GPOs

  • Edit, delete, and modify security of GPOs

  • Edit GPOs (only)

  • Model GPOs

  • Perform Resultant Set of Policy (RSoP) of GPOs

For each of these delegations, Setup configures the default settings when it installs Active Directory directory service. Table 1 lists the default permissions for each of the delegations in the GPMC.

Table 1. Default Delegations in the GPMC
DelegationPermissionUser or Group
Create GPOsCreate GPO in the domainDomain Admins

Group Policy Creator Owners

SYSTEM
Link GPOsLink GPO to specified node in Active Directory onlyAdministrators

Domain Admins

Enterprise Admins

SYSTEM
Edit settings, delete, modify security of GPOsEdit GPO using GPME

Enable/Disable GPO and parts of GPO

Import Settings

Backup GPO

Restore from Backup

Link WMI Filters

Delete GPO

Modify Security Filtering

Modify Delegation on GPO		Domain Admins

Enterprise Admins

SYSTEM
Edit GPOs (only)Edit GPO in GPME

Enable/Disable GPO and parts of GPO

Import Settings

Link WMI Filters		 
Perform Group Policy Modeling analysesModel GPOs for the specified Active Directory nodeAdministrators

Domain Admins

Enterprise Admins

SYSTEM
Read Group Policy Results dataDetermine RSoP for the specified Active Directory nodeAdministrators

Domain Admins

Enterprise Admins

SYSTEM
Read (from Security Filtering)View Settings Backup GPO to existing folderAuthenticated Users

As you can see, unless you are in the Group Policy Creator Owners group or have membership in the Domain Admins group, you do not have permission to manage Group Policy by default.

2. Default Security of AGPM

AGPM adds an additional, yet integrated, level of delegation to your Group Policy management. Remember, AGPM is not a mandatory tool—it just makes the administration of GPOs much easier and adds functionality that the GPMC does not provide.

When you install AGPM, no GPOs are automatically added to the AGPM server for management. This could cause some undesired results, so the inclusion (or controlling) of GPOs in AGPM is left up to the AGPM administrator.

Some distinct delegations are set up during the installation of AGPM that are carried out through the initial use of AGPM and control of GPOs. Only two user accounts are even given control within AGPM as a default.

The first user account, agpmservice, is not used for logging in and managing AGPM; rather, it is a service account that the AGPM service uses when it accesses the GPOs on the production domain controller. This account is in essence the “proxy” account that does all of the work when production GPOs are in any way touched by AGPM. This account has privileges over creating new GPOs and the GPOs that it creates through its inclusion in the Group Policy Creator Owners group and its explicit permissions to the GPOs in SYSVOL of the domain controllers. As you can see, a real administrator does not use this user account; it is just the service account used by AGPM, as shown in Figure 1.

Figure 1. The AGPM service uses a service account to connect to the domain controller and exchange information about the production GPOs.

The second user account used during installation will be used by a real administrator. This user account becomes the AGPM administrator and has full control over the AGPM environment, as shown in Figure 2. The AGPM administrator account can be an existing user account that will have full administrative privileges over all of AGPM, or it can be a dedicated AGPM administrator account used only for the initial setup of delegation in AGPM.

Figure 2. An AGPM administrator is determined at installation and is granted full control over AGPM for management and initial setup.

Best Practices

It is a best practice to use a dedicated user account when defining the AGPM administrator account during installation of AGPM. This simplifies administration and provides a more flexible delegation model for future configurations. If an existing user account, associated with an employee, is used, this account might not always be in control of GPOs, requiring the account to be changed when the user is no longer in charge of GPOs.

After you install AGPM, the AGPM administrator will log in and create the other delegations. At this time, you should configure another user account to have full control over the AGPM; multiple user accounts should have access to AGPM with this level of privilege so that administrators do not use the original AGPM administrator account on a regular basis.

Other  
  •  Programming WCF Services : Security - Intranet Application Scenario (part 7) - Identity Management, Callbacks
  •  Programming WCF Services : Security - Intranet Application Scenario (part 6) - Authorization
  •  Programming WCF Services : Security - Intranet Application Scenario (part 5) - Impersonation - Impersonating all operations, Restricting impersonation
    •
  •  Programming WCF Services : Security - Intranet Application Scenario (part 4) - Impersonation - Manual impersonation , Declarative impersonation
  •  Programming WCF Services : Security - Intranet Application Scenario (part 3) - Identities, The Security Call Context
  •  Programming WCF Services : Security - Intranet Application Scenario (part 2) - Constraining Message Protection, Authentication
  •  Programming WCF Services : Security - Intranet Application Scenario (part 1) - Securing the Intranet Bindings
  •  Programming WCF Services : Security - Identity Management, Overall Policy, Scenario-Driven Approach
  •  Programming WCF Services : Security - Transfer Security
  •  Hidden Security Tools You Must Use
    •
     
    Top 10
    Review : Sigma 24mm f/1.4 DG HSM Art
    Review : Canon EF11-24mm f/4L USM
    Review : Creative Sound Blaster Roar 2
    Review : Philips Fidelio M2L
    Review : Alienware 17 - Dell's Alienware laptops
    Review Smartwatch : Wellograph
    Review : Xiaomi Redmi 2
    Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
    Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
    3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    VIDEO TUTORIAL
    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8