返回
-
标题
Compliance Error Importing Settings To Object When Deploying Changes To GPO. -
说明
The following error is seen when deploying changes to a GPO:
GPOADmin service account is not member of domain admins group and permissions have been delegated to this service account as per our minimum permissions online documentation. -
原因
There are certain environments in which GPOADmin service account requires Delete Subtree advanced permission as noted on step number 15 from our minimum permissions online documentation. -
解决办法
Grant GPOADmin service account Delete Subtree advanced permission. You may do this by trying the following:
1- Open Group Policy Management Console (GPMC).
2- In GPMC, expand Forest, then Domain and expand Group Policy Objects.
3- Click on the group policy in which you want to grant the service account the permission and go to the delegation tab.
4- Click Advanced, and click Advanced again.
5- Click Add and click select a principal.
6- Find GPOADmin service account and click ok.
7- On Type select Allow and on Applies to select This object and all descendant objects.
8- Select Delete Subtree and click ok.
The above step needs to be repeated on each GPO that GPOADmin will manage.
If your environment is large with hundreds or thousands of group policies, then instead of the manual process described above you may try one of the following PowerShell scripts to automate this step.
Set_DeleteSubtree_AllGPOs.ps1
Run this script if you want to grant your GPOADmin service account Delete Subtree advanced permission to all group policies from your environment. To use this script you must provide the domain name for the domain where the permissions are being set. When using a GMSA this must be the domain where the service account is located as GMSAs cannot cross domains. The initial import-module may need to be altered if GPOADmin is not installed to the "C:\" drive.
Script Usage: Set_DeleteSubtree_AllGPOs.ps1 -DOMAINNAME <Domain FQDN>
SetAddPermDeleteTree.ps1
Run this script if you want to grant your GPOADmin service account Delete Subtree advanced permissions only to a few group policies in your environment and not all. For example there are GPOs which their name starts with Desktop-, and there are other GPOs which their name starts with HR-, but if you only want to grant this permission only on the GPOs in which name starts with Desktop-, then only specify Desktop- in the -ObjectFilter variable.
Script Usage: SetAddPermDeleteTree.ps1 -ObjectFilter 'Server-*' -Account 'domain\userorgroup' -DomainDN 'DC=Domain,DC=COM'
Attached you may find both scripts, so that you may use the one that best works for your environment.
Script Disclaimer:
The information in the script(s) provided is known to work successfully; however, they have not been officially tested by Quest Software Quality Control. If any of these instructions are changed and/or incorrectly used, intentionally or unintentionally, this solution becomes unsupported by Quest Software Support and Development.
-
附件