1. Approving
Only
users who have been granted the Approver permission will be able to
perform some of the more advanced actions in AGPM. The ability to
create a new GPO and the ability to deploy a GPO to the production
environment are both examples of tasks that require the Approver
permission, such as approving a pending GPO, as shown in Figure 1.
To set up Approver permission or a group in AGPM, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Select the Change Control node.
|
3. | Select the Controlled tab, located on the Contents tab in the details pane.
|
4. | Select the GPO for which you want to set up delegation.
|
5. | If
the user or group is already listed as having the specified archive
permissions for the selected GPO list, select the group or user for
which you are setting up delegation. Then click Advanced to open the
Permissions dialog box. Select the group or user name in the Group Or
User Names list, and then select the Approver check box in the Allow
column.
|
6. | To
add members, click Add, and then select the user or group in the Select
User, Computer, or Group dialog box, setting up the Approver delegation
after adding the object.
|
7. | To remove a member, select the member, and then click Remove.
|
When
you select the Approver check box, the Reviewer check box is also
selected because it is a required permission for approving GPOs in
AGPM. The Approver permission includes:
Create GPO
List Contents
Read Settings
Delete GPO
Deploy GPO
After
a user has been granted the Approver permission, his or her level of
control over GPOs depends on whether the permission was granted at the
domain level or the individual GPO level. If granted at the domain
level, under the Domain Delegation tab, the user can approve any GPO
that is brought into AGPM.
2. Reviewing
One
of the benefits of AGPM is the ability to provide users with the option
to see the settings in the GPOs, but not alter them in any way.
Individuals such as managers, IT administrators (not related to Group
Policy), and Help desk personnel can see the GPO settings and even
compare two GPOs by using difference reporting.
Note
To
compare two GPOs, or to compare a GPO to a template, using difference
reporting in AGPM, a user must be granted permissions over all GPOs
being compared in the report. If the Reviewer permission has been
granted at the domain level, permissions are automatically granted to
GPOs that are controlled in the domain. |
To set up Reviewer privileges for a group in AGPM, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Select the Change Control node.
|
3. | Select the Controlled tab, located on the Contents tab in the details pane.
|
4. | Select the GPO for which you want to set up delegation.
|
5. | If
the user or group is already listed as having the specified archive
permissions for the selected GPO list, select the group or user for
which you are setting up delegation. Then click Advanced to open the
Permissions dialog box. Select the group or user name in the Group Or
User Names list, and then select the Reviewer check box in the Allow
column.
|
6. | To
add members, click Add, and then select the user or group in the Select
User, Computer, or Group dialog box, setting up the Reviewer delegation
after adding the object.
|
7. | To remove a member, select the member, and then click Remove.
|
A user granted these permissions will be able to view the following, as shown in Figure 2:
Settings report
Difference report
GPO history
