How can I delegate rights for a GPO?

Question

Hi.

How can I delegate to have a new group added here ?

Why I need it and what I'm trying to solve:

I'm looking into the AGPM service. I want to give a minimum of account rights. AGPM cannot control policies without domain administrator rights.

By default, we have no such rights. The documentation does not say anything about it.

But if I manually add the permissions, everything is fine.

I found a solution, but it's using Powershell. We give each policy permissions. But if I create a new policy, I have to run this script every time to grant permissions to the new policy.

Can I do this using aduc GUI ? I don't really understand what parameters I need there. The Powershell solution has no automation and this would be hard to maintain.

https://archive.z-nerd.com/blog/2016/12/24-gpos-screw-it-well-do-it-live-iv/

Answer 1

Hi Андрей Михалевский,

If you want to modify the default permissions for GPOs, open ADSIEdit from Server Manager and connect to Schema, navigate to CN=Group-Policy-Container, then open Properties and edit the defaultSecurityDescriptor attribute. The permissions are written using the Security Descriptor Definition Language (SDDL).

Please refer to this help file for more details about SDDL.

https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language

Also refer to this link for the steps.

https://sdmsoftware.com/tips-tricks/modifying-default-gpo-permissions-creation-time/

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.