AGPM Least Privilege for Child Domain

Michael has covered “least privilege” for AGPM before (the Active Directory team followed up with a bit more detail). However, those scenarios are for single-domains. What if you have a forest where you want to manage all the child domains using AGPM, but you don’t want to just give the AGPM service administrator privileges across your entire forest? This guide will show you how to let the AGPM functionality take root with the minimum amount of privilege for each child in your domain.


For this example we’re using CONTOSO.COM as our root DC. CHILD.CONTOSO.COM is the child domain in the forest. Our AGPM server is in CONTOSO.COM running under the user “AGPMService”. (Side note: Wondering why “Contoso”?)


There are three permissions AGPM requires to run in a child domain.

1) Give AGPMService permission in the GPO directory. This will allow AGPM to check policies in and out.

a. Open GPMC.MSC for the child domain.

b. Click on the “Group Policy Objects” container.

c. In the “Delegation” tab, click “Add…” and add AGPMService from the parent domain.


2) Give AGPMService permission for any existing GPOs. This will allow AGPM to take control of any existing GPOs.

a. For each GPO that already exists in the child domain (In our example, that would be the 2 GPOs starting with “Default Domain…”), select it in the GPMC

b. Select the “Delegation” tab, click “Add…”, and add the AGPMService from the parent domain


3) Add AGPM to the “Backup Operators” builtin security group.

a. Open “Active Directory Users and Computers” for the child domain.

b. Navigate to the builtin container and right-click on Backup Operators.

c. Select “Properties”, then navigate to “Members” and click “Add…”, and add the AGPMService from the parent domain.


You should now be able to use AGPM in the child domain.

Comments (0)

Skip to main content