Table 2-1 1
|
Target Object |
Permissions |
|---|---|
|
Computer |
Administrator (Local Administrator Privilege) |
|
Database |
SYSADMIN |
|
AD Group for UPA Admin |
Add Member(). LPA account should be member of the group |
Table 2-2 2
|
Target Object |
Permissions |
|---|---|
|
Computer |
Administrator (Local Administrator Privilege) |
|
AD SYSTEM Container |
Read Permission |
|
AD SYSTEM Container |
Write Permission |
|
AD SYSTEM Container |
Read Property |
|
AD SYSTEM Container |
Modify Property |
|
AD SYSTEM Container |
Delete Subtree |
|
AD SYSTEM Container |
Create Container Objects |
|
AD SYSTEM Container |
Delete Container Objects |
|
AD SYSTEM Container |
Create Service Connection Point Objects |
|
AD SYSTEM Container |
Delete Service Connection Point Objects |
|
Group Policy Creator Owners Group in AD |
Add Member |
|
All GPOs in the domain |
Edit, Modify, Delete. For more information, see To Grant Full Edit Permissions for GPOs |
|
AD DOMAIN |
RSoP Planning |
|
AD DOMAIN |
RSoP Logging |
|
AD DOMAIN |
Read gpLink |
|
AD DOMAIN |
Write gpLink |
|
AD DOMAIN |
Read gpOptions |
|
AD DOMAIN |
Write gpOptions |
|
AD SITE |
Read gpLink |
|
AD SITE |
Write gpLink |
|
AD SITE |
Read gpOptions |
|
AD SITE |
Write gpOptions |
None (UPA installers grants the GSA when the installation is in progress).
To Grant Full Edit Permissions for GPOs
Grant the Export Only account FullEdit permission on all the GPOs in Active Directory using PS CmdLet "Set-GPPermission".
Script:
$params = @{
All = $true TargetName = "<<Export Only account Name>>" TargetType = 'User' PermissionLevel = 'GpoEditDeleteModifySecurity' Replace = $true
}
Set-GPPermission @params
Grant the Export Only account "Link GPOs" permission on the AD Domain. For more information, see Delegate Permissions for Group Policy.