How can I allow a GPA user to export GPOs to AD without giving them permissions to create GPOs nativ (NETIQKB55380)

  • Document ID:7755380
  • Creation Date:02-Feb-2007
  • Modified Date:29-Nov-2007
    • Micro Focus Products:
      Group Policy Administrator

Resolution

goal
How can I allow a GPA user to export GPOs to AD without giving them permissions to create GPOs natively?

goal
How do I enable the Export Override feature of Group Policy Administrator?

fact
NetIQ Group Policy Administrator 4.x

fact
NetIQ Group Policy Administrator 5.0

fix

You can configure GPA to allow users to export GPOs from the GP Repository to AD without giving users permissions in AD to create GPOs. To export GPOs to AD without permissions to create GPOs in AD, configure an Export Override account for the domain where you want to export GPOs. The Export Overrride account is a service account with Group Policy Creator Owner permissions in the domain where you want to export GPOs. You must create the Export Override account before you can configure GPA to use this account for exporting GPOs.

To create the Export Override account:

  1. Using an account with domain administrator privileges, log on to the domain into which you need to export GPOs from GPA.
  2. Create a user account with a name that describes its function, such as GPO Export Override.
  3. Add this account to the Group Policy Creator Owners group.
  4. Add this account to the Domain Admins group.
  5. If necessary, repeat these steps for each domain where you want to use an Export Override account.

To configure GPA to use the Export Override account:

  1. Log onto the GPA Console computer with an account that you have assigned the GPA Security Manager role for the GP Repository domain you want to configure with an Export Override account.
  2. Start the GPA Console in the Group Policy Administration program folder.
  3. In left pane, expand GP Repository and select the domain you want to configure to use the Export Override account.
  4. On the Action menu, click Properties.
  5. On the Export Override Account tab, select the Use export override check box.
  6. In the User field, type or browse to the service account you want to use.
  7. In the Password, field type the password for the account, and then confirm the password in the Confirm Password field.
  8. Click OK.

The next time a GPA user with the GPO Exporter role exports a GPO to this domain, GPA will use the Export Override account rather than the credentials of the logged on user to perform the export.



Additional Information

Formerly known as NETIQKB55380