-
Titolo
Minimum Permissions Required for the GPOADmin Service Account -
Descrizione
This article outlines the minimum permissions required for the GPOADmin Service Account.
-
Risoluzione
Due to the constantly changing architecture of GPOADmin, the minimum permissions guides will only be updated in the official documentation.
The latest Quick Start/Getting Started guide is attached to this article.
You can access the online documentation regarding minimum permissions required for the service account on the following link:https://support.quest.com/technical-documents/gpoadmin/5.21/quick-start-guide/4#TOPIC-2312367
The above is the manual process. Alternatively, you may also automate this process by running the GPOADmin.MinimumPermissions.ps1 and it will grant all permissions outlined in the above guide automatically.
IMPORTANT NOTE:
-Script will fail if run to grant a GMSA account permissions for cross-domain operations (manage GPOs for multiple CHILD or Trusted domains). In this case for cross-domain, the script won't fail if you use a regular service account instead of a GMSA account. A GMSA account only works perfectly fine if the script is run to provide permissions in the same domain where the GMSA exists.
-GPOADmin may be used to manage GPOs for multiple domains and it may, or may not work properly for cross-domain operations. Our best practice and recommendation is to setup a GPOADmin server per domain and you may access multiple GPOADmin servers from a single GPOADmin console. Said this, cross domain operation with a single GPOADmin console may work fine. However, is an scenario not recommended and therefore not supported.
This GPOADmin.MinimumPermissions.ps1 is located in the GPOADmin installation directory C:\Program Files\Quest\GPOADmin\Scripts
You may run this script directly from the GPOADmin server. Make sure Group Policy Management Console (GPMC) is installed in the GPADmin server. Otherwise, the below command will fail:
.\GPOADmin.MinimumPermissions.ps1 -ServiceAccount 'DOMAIN\userid' -Domain 'DOMAIN.FQDN.COM' -LDAPServer DC.FQDN.COM -Permissions 65535 -Report
From the above command replace the values from the parameters:
-ServiceAccount: Specify in DOMAIN\account format the GPOADmin service account (regular account or GMSA), or security group in which the service account is member of to grant all permissions.
-Domain: Specify the target domain.
-LDAPServer: It is recommended to specify your PDC here, or the domain controller set as "Preferred Domain Controller" in the GPOADmin console.
-Permissions: Specify the number that corresponds to the permission that you want to grant with this script. Please refer to the he last paragraph and screenshot of this KB, which provides a more detailed explanation of what values to use with this permission parameter.
For example:.jpg)
If you run it with the -Report parameter at the end it will not change permissions and will provide a list of permissions that the account that you specify in the command line have. You may run it this way if you are only interested to see the list of permissions the account have to see if a permission is missing or to confirm that all permissions were given to the account correctly.
If you run the command without the -Report parameter it will apply permissions automatically.
Basically, you may run the command first with the -Report parameter to view what permissions the service account currently have and then run it without the -Report parameter to grant the permissions. Or, simple run it without the -Report parameter to grant the permissions without viewing a report showing information about what permissions service account have as seen below. Note that the command does not have the -Report parameter at the end.
If you edit this script you will see the following list of permissions that this script provides. Please note that the number listed at the end of the command line is 65535, which means the script will grant the service account ALL Permissions as per list below. It is recommended to use this default value 65535 to add all permissions to make sure the service account gets all required permissions to work properly. However, if you want to grant just an specific permission assuming that the account have most of the permissions listed below, then you may replace the permission value in the command line with the number from the below list that corresponds to the permission that you want to grant specifically: -
Allegati