Locking down AGPM fit for least privilege

A few customers have been emailing us. Essentially they want to be able to "lock down" AGPM as a central source of the GP truth and not allow it to have too much access...which is something I always advocate...if it doesnt need Domain Admin access then dont give it Domain Admin access.

So heres what AGPM needs to operate:

  • The AGPM Service account needs to be a member of the domain "GPO Creator Owners" group and "Backup Operators" group

  • Full access to AGPM Archive folder (this will be granted by installer if located on a local drive)

  • Full access to local system temp directory (typically %windir%\temp)

  • Full access to any existing GPOs that need to be managed by AGPM

Aside from that, thats it. If you want to support child domains with a single AGPM instance then you also need to give the service account similar access to what the GPO Creator Owners group provides and access to any existing GPO's you want to manage. Note that you cannot add an account from one domain into a global group in a child domain. Aside from that its now running least privilege and you can take away Domain Admins



Updated: 10th Dec. After finding a bug in this approach I added the Backup Operators group to this process. It appears that when you try to delete a GPO from AGPM, it tries to restore the GPO object ownership back to the defaults of "Domain Admins". When its running it least privilege it no longer has the permissions to do this. The only other group than Domain Admins with this permission is Backup Operators. Thus its necessary to also grant the service account this group access.

Comments (4)
  1. Anonymous says:

    Mike here again. A customer recently asked how they should configure their Advanced Group Policy Management

  2. Anonymous says:

    I actually wrote this post awhile ago on my blog and forgot to cross post this to the GP blog. Bad me…though

  3. I have a caveat to this. These are the correct permissions to give it and everything works correctly though we have noticed a bug in deletion of a GPO that indicates in the progress UI the deletion failed when in fact it actually succeeds. We are investigating this bug.

    There are two workarounds:

    1. Revert back to using Domain Admins for the service account

    2. Ignore this error in this least privilege configuration

    I will report back if we find anything of further concern though we havent yet.

  4. Nick Thompson says:

    Hurrah.. we’ve been wondering what rights to give our Service Account.

Comments are closed.

Skip to main content