1 |
3 |
Create the Group Managed Service Account for GPOADmin using the New-ADServiceAccount PowerShell command. For more details, see https://docs.microsoft.com/en-us/powershell/module/activedirectory/new-adserviceaccount?view=windowsserver2019-ps. |
6 |
Follow the Minimum permissions required for the service accounts and replace the service account with the group the GMSA member of create in step 4. |
2 |
Grant this account Log on as a Service on the computer where GPOADmin is installed. |
3 |
Grant the service account Full Control to the installation directory. |
| |||||||||||||||||||||||||||
| |||||||||||||||||||||||||||
|
6 |
Grant the service account Full Control on each WMI Filter that will be managed by GPOADmin. |
7 |
Using GPMC, delegate Link GPOs to the service account on the Site and Domain level (or even on the OU level depending on where GPOADmin is required to manage GPOs), for This container and all child containers, if child containers are needed. |
8 |
For the service account to run RSoP reports, the Read Group Policy Results data right must be granted. Using GPMC, delegate Read Group Policy Results Data to the service account on the Domain level (or even on the OU level, depending on where GPOADmin is required to perform the RSoP analysis), for This container and all child containers, if child containers are needed. |
9 |
Using GPMC, delegate Create GPOs to the service account on the Group Policy Objects Level. |
10 |
Using GPMC, delegate Edit settings, Delete, and Modify security to the service account for each existing GPO that will be managed by GPOADmin using GPMC. |
11 |
For each GPO managed by GPOADmin, verify that the service account has direct ownership of the GPO on the Owner tab of the Advanced Security Settings dialog box. |
2 |
3 |
4 |
Click Change at the top of the Advanced Security Settings page and select the service account. |
5 |
Click OK three times. |
2 |
Right-click and select Properties. |
3 |
5 |
6 |
Click OK three times. |
b |
c |
d |
• |
• |
e |
f |
• |
g |
Click OK to close the Permission Entry for Partitions dialog. |
h |
Click OK to close the Advanced Security Settings for Partitions dialog. |
i |
Click OK to close the CN=Partitions Properties dialog. |
a |
Open Command Prompt and type: ntdsutil. |
b |
At the ntdsutil command prompt, type: partition management. |
c |
d |
At the server connections command prompt, type: connect to server ServerName. |
f |
At the partition management command prompt, type the following: create nc dc=staging,dc=gpoadmin DomainController. |
b |
Right-click the object with the Directory Partition Name "DC=Staging,DC=GPOADmin" and select New Connection to Naming Context. |
c |
Select the DC=Staging,DC=GPOADmin context in the left pane. |
d |
e |
f |
• |
• |
g |
h |
• |
i |
Click OK to close the Permission Entry for Staging dialog. |
j |
Click OK to close the Advanced Security Settings for Staging dialog. |
k |
Click OK to close the DC=Staging,DC=GPOADmin Properties dialog. |
22 |
Once the product has been configured, connect to the GPOADmin console using the service account. Configure any additional administrators and users (trustees) that will connect to the product by right- clicking the connected domain and selecting Options and then Access. Delegate any roles required by these users through the Version Control Root properties, or any registered OU/GPO within the Version Control Root as necessary. |
23 |
24 |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ |
| ||
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ |
|
25 |
Open GPMC and add the GPOADmin service account to the Delegations tab for Starter GPOs. |
To register an application with the required permissions:
3 |
5 |
Click Register. |
6 |
7 |
Under Certificates, select Upload certificate. You will need this when you configure Intune in the Version Control properties. |
8 |
a |
b |
Select Application permissions. |
c |
Under All APIs, select Device Management Configuration, and enable DeviceManagementConfiguration.ReadWrite.All. |
d |
Under APIs my organization uses, select Microsoft Graph | Application permissions | Group and enable Group.ReadWrite.All. |
9 |
1 |
In the Microsoft Endpoint Manager admin center, select Tenant administration | Roles | All roles. |
3 |
4 |
On the Permissions page, select Device configurations, click Yes for Read and Update (and Assign if you want to allow users to edit Intune object assignments), and click Next. |
5 |
On the Scope tags page, click Next to move to the Review + Create page. |
6 |
Review your settings and click Create. |
3 |
NOTE: Database Creator’s right is only required for the initial creation of the GPOADmin_Backups database. If the database has been pre-created (see Configuring the GPOADmin Server ) by your DB Administrators team then only the following database roles and permissions are required by the GPOADmin service account to access and update the Database: db_datareader, db_datawriter: Permissions to Execute the following GPOADmin stored procedures: quest_qgpm_add_group_to_role quest_qgpm_domainid_pr quest_qgpm_gpoid_pr quest_qgpm_insbackup_p |
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center