What security permissions are required to be able to perform the various tasks in NetIQ Group Policy (NETIQKB4406)

  • 7704406
  • 02-Feb-2007
  • 14-Nov-2007

Resolution

Goal

What security permissions are required to be able to perform the various tasks in NetIQ Group Policy Administrator?

Fact

NetIQ Group Policy Administrator 2.0
NetIQ Group Policy Administrator 3.0
NetIQ Group Policy Administrator 4.x
NetIQ Group Policy Administrator 5.0
NetIQ Group Policy Administrator 5.0 SP1

Fix

NetIQ Group Policy Administrator Tasks

Security Requirement

Administrator

Launch snap-in
View GPO

NetIQ GPA uses the current user account to connect to the domain. To use another user account for the connection:

· Save the NetIQ GPA snap-in as an MMC console.

· Right-click on the console file.

· Select the Run As option.

Every user account is a member of 'Authenticated Users' by default; therefore, the system will display all GPOs that have 'Read' permission set for the current user/authenticated user account.

Create GPO

User account must be a member of one of the following:

· Domain Administrator

· Enterprise Administrator

· Group Policy Creator Owner group

Delete GPO

User account must have Delete all child objects setting on the GPO

Search GPO

Result of the search displays only those GPOs that have the 'Read' permission set for the current user account

Backup GPO

User account must have 'Read' permissions on the GPOs and the SDOU associated with it.

Restore GPO

User account must be a member of one of the following:

· Domain Administrator

· Enterprise Administrator

· Group Policy Creator Owner group

Link GPO to OU
Modify security filters

Domain Administrator and Enterprise Administrator accounts have permission to modify OU links and security filters. Other user accounts must have 'Delegated' permission. To assign 'Delegated' permission, use the Delegation of Control wizard in the Active Directory Users and Computers snap-in.

Copy/Paste/Merge/Import GPO

User account must be a member of one of the following:

· Domain Administrator

· Enterprise Administrator

· Group Policy Creator Owner group

GPO report

User account must have "Read" permission to the GPOs.

Replicate GPO

User account must have the following permissions for each of the four replication categories:

· Direct Intraforest ? Domain Administrator permission

· Indirect Intraforest ? Enterprise Administrator permission

· Direct Interforest ? Domain Administrator permission

· Indirect Interforest ? Enterprise Administrator permission

Policy Planning & Analysis

Perform RSoP

User account must be a member of one of the following:

· Domain Administrator

· Enterprise Administrator

· Group Policy Creator Owner group

User account must have 'Read' permission to all GPOs and SDOU hierarchies.

Policy Auditing & Diagnostics

Launch snap-in

User account must have 'Read' permission to the GPOs on the domain.

Perform remote diagnostics

User account that runs remote diagnostics must have local 'Administrator' rights on that remote machine.

Perform Offline Diagnostics

User account that imports the resultant .dgn file must have 'Read' permission to all GPOs and SDOU hierarchies.

Perform Client-Side Auditing

User account must have "Read" permission to the registry on the remote machine.

 

Additional Information

Formerly known as NETIQKB4406