What permissions are required to import a GPO from backup

  • 7022583
  • 22-Jan-2018
  • 28-Feb-2018

Environment

NetIQ Group Policy Administrator 6.9.x

Situation

How to restore a GPO Backup into the NetIQ GPA Repository

What AD and GPA Repository permissions are needed to restore a GPO Backup into the NetIQ GPA Repository

Resolution

Logon to the GPA Console as a member of the AD Group GPA_REPOSITORY_MANAGEMENT. Once logged into GPA, use the GPA Delegation wizard to create new security. The target user(s) will need at least the following powers assigned to a role:

Import GPO from AD
View Category
Checkout GPO
Create GPO

Within AD the end user will need at least the following rights:
  • FullArmor Container within AD
  1. List Contents
  2. Read All Properties
  3. Read Permissions
  • Sysvol Folder of the Managed Domain
  1. Traverse folder / execute file
  2. List folder / read data
  3. Read attributes
  4. Read extended attributes
  5. Read permissions

Within SQL the end user will need the following rights:

  • Public access to the GP_REPOSITORY_DB

Within the top level folder and all sub-folders used for the GPO backup the end user will need at least the following rights:

  1. Traverse folder / execute file
  2. List folder / read data
  3. Read attributes
  4. Read extended attributes
  5. Create files / write data
  6. Create folders / append data
  7. Read permissions




Cause

When importing a GPO from backup, GPA treats this as an operation similar to GPO create. As such, the end user will require permissions similar to a GPO create operation

Additional Information

The AD permissions listed are the default permissions assigned to the Domain User's AD group.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.