Windows Server 2008 and Windows Vista : Security Delegation for Administration of GPOs - Default Security Environment

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

1. Default Security of the GPMC

The default security configuration for administering Group Policy in Windows Server 2008 is similar to that in Microsoft Windows Server 2003. Of course, the changes from Microsoft Windows 2000 Server to Windows Server 2003 were substantial, because the GPMC was introduced with Windows Server 2003. The GPMC introduced a totally new set of delegations and methods of delegating administration over Group Policy management.

The GPMC is installed on a Windows Server 2008 domain controller by default with some default security delegation that existed in Windows Server 2003.

The default security for administration of Group Policy is divided into six categories:

  • Create GPOs

  • Link GPOs

  • Edit, delete, and modify security of GPOs

  • Edit GPOs (only)

  • Model GPOs

  • Perform Resultant Set of Policy (RSoP) of GPOs

For each of these delegations, Setup configures the default settings when it installs Active Directory directory service. Table 1 lists the default permissions for each of the delegations in the GPMC.

Table 1. Default Delegations in the GPMC
DelegationPermissionUser or Group
Create GPOsCreate GPO in the domainDomain Admins

Group Policy Creator Owners

Link GPOsLink GPO to specified node in Active Directory onlyAdministrators

Domain Admins

Enterprise Admins

Edit settings, delete, modify security of GPOsEdit GPO using GPME

Enable/Disable GPO and parts of GPO

Import Settings

Backup GPO

Restore from Backup

Link WMI Filters

Delete GPO

Modify Security Filtering

Modify Delegation on GPO
Domain Admins

Enterprise Admins

Edit GPOs (only)Edit GPO in GPME

Enable/Disable GPO and parts of GPO

Import Settings

Link WMI Filters
Perform Group Policy Modeling analysesModel GPOs for the specified Active Directory nodeAdministrators

Domain Admins

Enterprise Admins

Read Group Policy Results dataDetermine RSoP for the specified Active Directory nodeAdministrators

Domain Admins

Enterprise Admins

Read (from Security Filtering)View Settings Backup GPO to existing folderAuthenticated Users

As you can see, unless you are in the Group Policy Creator Owners group or have membership in the Domain Admins group, you do not have permission to manage Group Policy by default.

2. Default Security of AGPM

AGPM adds an additional, yet integrated, level of delegation to your Group Policy management. Remember, AGPM is not a mandatory tool—it just makes the administration of GPOs much easier and adds functionality that the GPMC does not provide.

When you install AGPM, no GPOs are automatically added to the AGPM server for management. This could cause some undesired results, so the inclusion (or controlling) of GPOs in AGPM is left up to the AGPM administrator.

Some distinct delegations are set up during the installation of AGPM that are carried out through the initial use of AGPM and control of GPOs. Only two user accounts are even given control within AGPM as a default.

The first user account, agpmservice, is not used for logging in and managing AGPM; rather, it is a service account that the AGPM service uses when it accesses the GPOs on the production domain controller. This account is in essence the “proxy” account that does all of the work when production GPOs are in any way touched by AGPM. This account has privileges over creating new GPOs and the GPOs that it creates through its inclusion in the Group Policy Creator Owners group and its explicit permissions to the GPOs in SYSVOL of the domain controllers. As you can see, a real administrator does not use this user account; it is just the service account used by AGPM, as shown in Figure 1.

Figure 1. The AGPM service uses a service account to connect to the domain controller and exchange information about the production GPOs.

The second user account used during installation will be used by a real administrator. This user account becomes the AGPM administrator and has full control over the AGPM environment, as shown in Figure 2. The AGPM administrator account can be an existing user account that will have full administrative privileges over all of AGPM, or it can be a dedicated AGPM administrator account used only for the initial setup of delegation in AGPM.

Figure 2. An AGPM administrator is determined at installation and is granted full control over AGPM for management and initial setup.

Best Practices

It is a best practice to use a dedicated user account when defining the AGPM administrator account during installation of AGPM. This simplifies administration and provides a more flexible delegation model for future configurations. If an existing user account, associated with an employee, is used, this account might not always be in control of GPOs, requiring the account to be changed when the user is no longer in charge of GPOs.

After you install AGPM, the AGPM administrator will log in and create the other delegations. At this time, you should configure another user account to have full control over the AGPM; multiple user accounts should have access to AGPM with this level of privilege so that administrators do not use the original AGPM administrator account on a regular basis.

  •  Programming WCF Services : Security - Intranet Application Scenario (part 7) - Identity Management, Callbacks
  •  Programming WCF Services : Security - Intranet Application Scenario (part 6) - Authorization
  •  Programming WCF Services : Security - Intranet Application Scenario (part 5) - Impersonation - Impersonating all operations, Restricting impersonation
  •  Programming WCF Services : Security - Intranet Application Scenario (part 4) - Impersonation - Manual impersonation , Declarative impersonation
  •  Programming WCF Services : Security - Intranet Application Scenario (part 3) - Identities, The Security Call Context
  •  Programming WCF Services : Security - Intranet Application Scenario (part 2) - Constraining Message Protection, Authentication
  •  Programming WCF Services : Security - Intranet Application Scenario (part 1) - Securing the Intranet Bindings
  •  Programming WCF Services : Security - Identity Management, Overall Policy, Scenario-Driven Approach
  •  Programming WCF Services : Security - Transfer Security
  •  Hidden Security Tools You Must Use
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us