Environment
NetIQ Group Policy Administrator 6.9.x
Situation
How to restore a GPO Backup into the NetIQ GPA Repository
What AD and GPA Repository permissions are needed to restore a GPO Backup into the NetIQ GPA Repository
What AD and GPA Repository permissions are needed to restore a GPO Backup into the NetIQ GPA Repository
Resolution
Logon to the GPA Console as a member of the AD Group GPA_REPOSITORY_MANAGEMENT. Once logged into GPA, use the GPA Delegation wizard to create new security. The target user(s) will need at least the following powers assigned to a role:
Import GPO from AD
View Category
Checkout GPO
Create GPO
Within AD the end user will need at least the following rights:
Import GPO from AD
View Category
Checkout GPO
Create GPO
Within AD the end user will need at least the following rights:
- FullArmor Container within AD
- List Contents
- Read All Properties
- Read Permissions
- Sysvol Folder of the Managed Domain
- Traverse folder / execute file
- List folder / read data
- Read attributes
- Read extended attributes
- Read permissions
Within SQL the end user will need the following rights:
- Public access to the GP_REPOSITORY_DB
Within the top level folder and all sub-folders used for the GPO backup the end user will need at least the following rights:
- Traverse folder / execute file
- List folder / read data
- Read attributes
- Read extended attributes
- Create files / write data
- Create folders / append data
- Read permissions
Cause
When importing a GPO from backup, GPA treats this as an operation similar to GPO create. As such, the end user will require permissions similar to a GPO create operation
Additional Information
The AD permissions listed are the default permissions assigned to the Domain User's AD group.