Locking down AGPM fit for least privilege

A few customers have been emailing us. Essentially they want to be able to "lock down" AGPM as a central source of the GP truth and not allow it to have too much access...which is something I always advocate...if it doesnt need Domain Admin access then dont give it Domain Admin access.

So heres what AGPM needs to operate:

  • The AGPM Service account needs to be a member of the domain "GPO Creator Owners" group and "Backup Operators" group
  • Full access to AGPM Archive folder (this will be granted by installer if located on a local drive)
  • Full access to local system temp directory (typically %windir%\temp)
  • Full access to any existing GPOs that need to be managed by AGPM

Aside from that, thats it. If you want to support child domains with a single AGPM instance then you also need to give the service account similar access to what the GPO Creator Owners group provides and access to any existing GPO's you want to manage. Note that you cannot add an account from one domain into a global group in a child domain. Aside from that its now running least privilege and you can take away Domain Admins



Updated: 10th Dec. After finding a bug in this approach I added the Backup Operators group to this process. It appears that when you try to delete a GPO from AGPM, it tries to restore the GPO object ownership back to the defaults of "Domain Admins". When its running it least privilege it no longer has the permissions to do this. The only other group than Domain Admins with this permission is Backup Operators. Thus its necessary to also grant the service account this group access.