question

BriggsDane avatar image
0 Votes"
BriggsDane asked FanFan-MSFT commented

AGPM Roles - Limit Access using OUs

I am in the process of evaluating AGPM. I have certain security requirements. I have multiple teams that are responsible for maintaining their own GPOs. I would like to setup Editor, Reviewer and Approver Roles for each team and limit access to GPOs under their OUs. For example, I would like to setup Editor, Reviewer and Approver Roles for the Desktop Engineers for GPOs ONLY under the workstations OU. I do not want Desktop Engineers to have access to GPOs in the Servers or Domain Controllers OU. Can this be done? If so, How?

windows-group-policy
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,
Based on my research, AGPM does not support link management. But it can done directly in the GPMC or ADUC delegation control.
Following link for your reference:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects
Best Regards,

· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BriggsDane avatar image BriggsDane ·

So if I wanted to limit the Desktop Engineers to only control GPOs in the workstations OU I would open ADUC and select Delegate Control. I would then select Create a custom task to delegate and then groupPolicyContainer objects. For each group I would set the permissions as follows.

WS-GPO-Editors - Read/write
WS-GPO-Reviewers - Read
WS-GPO-Approvers - Full

I would also need to open GPMC and delegate WS-GPO-Approvers Link GPOs.

Would I need to do anything else in the AGPM software?

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT BriggsDane ·

Hi,
Based on my research, to Limit Access using OUs, the steps mentioned above would be ok.
Best Regards,

0 Votes 0 ·
FanFan-MSFT avatar image FanFan-MSFT FanFan-MSFT ·

Hi,
I am checking to see if the problem has been resolved.
If there's anything you'd like to know, don't hesitate to ask.
Best Regards,

0 Votes 0 ·
Show more comments
BriggsDane avatar image
0 Votes"
BriggsDane answered FanFan-MSFT commented

When setting permissions as above and I open AGPM as any of the WS-GPO-Editors, WS-GPO-Reviewers, and WS-GPO-Approvers, I receive the following error. My assumption is that I need to grant rights to the AGPM archive. Just not sure how to do that. I tried granting access using NTFS permissions but that did not help.


Could not retrieve the list of controlled GPOs.

The following error occurred:
You do not have sufficient permissions to perform this operation.
Microsoft.Agpm.AccessDeniedException (80070005)

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image FanFan-MSFT ·

I am sorry that this issue still hasn't been resolved.
If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business

At the same time i would do more research , if there any progress ,i would update here!
Best Regards,

0 Votes 0 ·