Resolution
Goal
What security permissions are required to be able to perform the various tasks in NetIQ Group Policy Administrator?
Fact
NetIQ Group Policy Administrator 2.0
NetIQ Group Policy Administrator 3.0
NetIQ Group Policy Administrator 4.x
NetIQ Group Policy Administrator 5.0
NetIQ Group Policy Administrator 5.0 SP1
Fix
NetIQ Group Policy Administrator Tasks | Security Requirement |
Administrator | |
Launch snap-in | NetIQ GPA uses the current user account to connect to the domain. To use another user account for the connection: 路 Save the NetIQ GPA snap-in as an MMC console.路 Right-click on the console file.路 Select the Run As option.Every user account is a member of 'Authenticated Users' by default; therefore, the system will display all GPOs that have 'Read' permission set for the current user/authenticated user account. |
Create GPO | User account must be a member of one of the following: 路 Domain Administrator路 Enterprise Administrator路 Group Policy Creator Owner group |
Delete GPO | User account must have Delete all child objects setting on the GPO |
Search GPO | Result of the search displays only those GPOs that have the 'Read' permission set for the current user account |
Backup GPO | User account must have 'Read' permissions on the GPOs and the SDOU associated with it. |
Restore GPO | User account must be a member of one of the following: 路 Domain Administrator路 Enterprise Administrator路 Group Policy Creator Owner group |
Link GPO to OU | Domain Administrator and Enterprise Administrator accounts have permission to modify OU links and security filters. Other user accounts must have 'Delegated' permission. To assign 'Delegated' permission, use the Delegation of Control wizard in the Active Directory Users and Computers snap-in. |
Copy/Paste/Merge/Import GPO | User account must be a member of one of the following: 路 Domain Administrator路 Enterprise Administrator路 Group Policy Creator Owner group |
GPO report | User account must have "Read" permission to the GPOs. |
Replicate GPO | User account must have the following permissions for each of the four replication categories: 路 Direct Intraforest ? Domain Administrator permission路 Indirect Intraforest ? Enterprise Administrator permission路 Direct Interforest ? Domain Administrator permission路 Indirect Interforest ? Enterprise Administrator permission |
Policy Planning & Analysis | |
Perform RSoP | User account must be a member of one of the following: 路 Domain Administrator路 Enterprise Administrator路 Group Policy Creator Owner groupUser account must have 'Read' permission to all GPOs and SDOU hierarchies. |
Policy Auditing & Diagnostics | |
Launch snap-in | User account must have 'Read' permission to the GPOs on the domain. |
Perform remote diagnostics | User account that runs remote diagnostics must have local 'Administrator' rights on that remote machine. |
Perform Offline Diagnostics | User account that imports the resultant .dgn file must have 'Read' permission to all GPOs and SDOU hierarchies. |
Perform Client-Side Auditing | User account must have "Read" permission to the registry on the remote machine. |