What security permissions are required to be able to perform the various tasks in NetIQ Group Policy (NETIQKB4406)

Document ID:7704406
Creation Date:02-Feb-2007
Modified Date:14-Nov-2007
- Micro Focus Products:
  Group Policy Administrator

Resolution

Goal

What security permissions are required to be able to perform the various tasks in NetIQ Group Policy Administrator?

Fact

NetIQ Group Policy Administrator 2.0
NetIQ Group Policy Administrator 3.0
NetIQ Group Policy Administrator 4.x
NetIQ Group Policy Administrator 5.0
NetIQ Group Policy Administrator 5.0 SP1

Fix

NetIQ Group Policy Administrator Tasks	Security Requirement
Administrator
Launch snap-in View GPO	NetIQ GPA uses the current user account to connect to the domain. To use another user account for the connection: · Save the NetIQ GPA snap-in as an MMC console. · Right-click on the console file. · Select the Run As option. Every user account is a member of 'Authenticated Users' by default; therefore, the system will display all GPOs that have 'Read' permission set for the current user/authenticated user account.
Create GPO	User account must be a member of one of the following: · Domain Administrator · Enterprise Administrator · Group Policy Creator Owner group
Delete GPO	User account must have Delete all child objects setting on the GPO
Search GPO	Result of the search displays only those GPOs that have the 'Read' permission set for the current user account
Backup GPO	User account must have 'Read' permissions on the GPOs and the SDOU associated with it.
Restore GPO	User account must be a member of one of the following: · Domain Administrator · Enterprise Administrator · Group Policy Creator Owner group
Link GPO to OU Modify security filters	Domain Administrator and Enterprise Administrator accounts have permission to modify OU links and security filters. Other user accounts must have 'Delegated' permission. To assign 'Delegated' permission, use the Delegation of Control wizard in the Active Directory Users and Computers snap-in.
Copy/Paste/Merge/Import GPO	User account must be a member of one of the following: · Domain Administrator · Enterprise Administrator · Group Policy Creator Owner group
GPO report	User account must have "Read" permission to the GPOs.
Replicate GPO	User account must have the following permissions for each of the four replication categories: · Direct Intraforest ? Domain Administrator permission · Indirect Intraforest ? Enterprise Administrator permission · Direct Interforest ? Domain Administrator permission · Indirect Interforest ? Enterprise Administrator permission
Policy Planning & Analysis
Perform RSoP	User account must be a member of one of the following: · Domain Administrator · Enterprise Administrator · Group Policy Creator Owner group User account must have 'Read' permission to all GPOs and SDOU hierarchies.
Policy Auditing & Diagnostics
Launch snap-in	User account must have 'Read' permission to the GPOs on the domain.
Perform remote diagnostics	User account that runs remote diagnostics must have local 'Administrator' rights on that remote machine.
Perform Offline Diagnostics	User account that imports the resultant .dgn file must have 'Read' permission to all GPOs and SDOU hierarchies.
Perform Client-Side Auditing	User account must have "Read" permission to the registry on the remote machine.

Additional Information

Formerly known as NETIQKB4406