Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,192 questions
How to grant permissions via aduc graphical console ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 60%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Андрей Михалевский
3,281
Reputation points
Hello. I am a student of AGPM.
I have granted the minimum rights as per the documentation. Separate user account, local admin rights and backup operators, group policy creator owners. And full folder permissions.
When I want to take control of the policy, I get an error:
Control GPO: Default Domain Controllers Policy...Failed
[GPMC Error] Could not take ownership of the production GPO. Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
1 actions failed.
If I run the service from a domain administrator account, everything is fine.
I found this article: https://archive.z-nerd.com/blog/2016/12/24-gpos-screw-it-well-do-it-live-iv/
And a script to solve the problem.
https://github.com/theznerd/AGPMScripts/blob/master/Set-GPOFullControl.ps1
- Can you explain me in detail what and how this script modifies in Active Directory ?
- Can you show me if I can do it through the graphical console ?
- Can you explain why I am getting this error ? How does it work ? Which access groups manage this ? Maybe I can delegate group policy management to my account that I run AGPM with ?
- I want to give minimum permissions but I am afraid to use a script, also I don't understand how to document this as I don't understand what changes are made to Active Directory and what processes are responsible for this.
Sign in to answer