What permissions are required to import a GPO from backup

  • 7022583
  • 22-Jan-2018
  • 28-Feb-2018

Environment

NetIQ Group Policy Administrator 6.9.x

Situation

How to restore a GPO Backup into the NetIQ GPA Repository

What AD and GPA Repository permissions are needed to restore a GPO Backup into the NetIQ GPA Repository

Resolution

Logon to the GPA Console as a member of the AD Group GPA_REPOSITORY_MANAGEMENT. Once logged into GPA, use the GPA Delegation wizard to create new security. The target user(s) will need at least the following powers assigned to a role:

Import GPO from AD
View Category
Checkout GPO
Create GPO

Within AD the end user will need at least the following rights:
  • FullArmor Container within AD
  1. List Contents
  2. Read All Properties
  3. Read Permissions
  • Sysvol Folder of the Managed Domain
  1. Traverse folder / execute file
  2. List folder / read data
  3. Read attributes
  4. Read extended attributes
  5. Read permissions

Within SQL the end user will need the following rights:

  • Public access to the GP_REPOSITORY_DB

Within the top level folder and all sub-folders used for the GPO backup the end user will need at least the following rights:

  1. Traverse folder / execute file
  2. List folder / read data
  3. Read attributes
  4. Read extended attributes
  5. Create files / write data
  6. Create folders / append data
  7. Read permissions




Cause

When importing a GPO from backup, GPA treats this as an operation similar to GPO create. As such, the end user will require permissions similar to a GPO create operation

Additional Information

The AD permissions listed are the default permissions assigned to the Domain User's AD group.