Group Policy helps administrators with centralized control and configuration of user settings, operating systems, and applications. A Group Policy Object (GPO) is a collection of Group Policy settings that determine how a system appears and behaves for a certain group of users. GPO delegation in AD allows you to offer end-users permission to execute certain Group Policy management activities that are typically performed by administrators. You assign Group Policy management rights in Active Directory to a user who is not a member of Enterprise Admins or Domain Admins to accomplish the following tasks:
- Create GPOs and manage them.
- Manage existing GPO links or create RSoP (Resultant Set of Policy).
- View settings, modify settings, delete a GPO, and adjust security.
Why GPO Delegation?
For two primary reasons, determining who may edit GPOs is critical in order to provide effective security on GPOs themselves. To begin, if security settings are not correctly configured, users and system administrators can simply override them. This negates the whole point of having GPOs in the first place. Second, having many system administrators create and edit GPOs may make management exceedingly complex. When issues develop, the hierarchical structure of GPO inheritance might make it difficult to identify the source of the problem.
Delegating permissions for a group or user on a Group Policy Object:
Just like other AD objects, security principals can be assigned permissions to access a GPO. The following are the list of permissions that can be assigned:
- Edit Settings
- Edit Settings, Delete, Modify security
Let’s now look at the steps to set permissions for a GPO.
- Using Group Policy Management Console (GPMC):
The following steps illustrate how to set permissions for a GPO using GPMC:
- In the left pane of the GPMC snap-in, select the GPO.
- In the right pane, select the Delegation Tab. The list of users with their permission will be displayed under the Group and Users section.
- Click Add to add a specific user, group, or computer. Select the permission from the drop-down list and click OK.
- Click Locations, then choose the Entire Directory or the domain or the OU that includes the object to which GPO permissions should be applied, and then click OK.
- Enter the name of the item for which you wish to add GPO permissions in the Enter the object name to choose box, by executing one of the following actions:
- If you know the name of the object, enter it directly and click OK.
- If you don’t know the name of the object and want to find it, click Advanced, enter the search criteria, click Find Now, select the name from the list box, click OK, and then click OK again.
- Select the required permissions from the drop-down list in the Permissions box of the Add Group or User dialog box, and then click OK.
- Using PowerShell:
- Open PowerShell from a domain controller or on a member server that has the Group Policy Management console installed.
- Import the Group Policy module to use the Group Policy cmdlets, by executing the following command:
Import- Module Group Policy
- To assign a permission level for a security group to a GPO, use the following command:
Set- GPPermissions -Name <String> -TargetName <PermissionTrusteeType> -PermissionLevel <GPPermission Type>
- To delegate a permission level for a security group to all GPOs in the domain, use
the following command:
Set-GPPermissions -All -TargetName <String> -TargetType <PermissionTrusteeType> -PermissionLevel <GPPermissionType>
GPO Delegation vs Security Filtering:
Computers or users must have Read and Apply access on a GPO, in order to receive the settings from it. The GPO won’t be applied if it doesn’t have both the Read and Apply rights. When testing a new GPO, you might wish to limit the GPO appliance to a single user or computer. This is done by either completely removing Authenticated Users from the GPO’s Access Control List (ACL) or by removing Authenticated Users with the Apply permission. Then, you can manually assign Read and Apply to the user or computer you’re using for testing. It is mostly used for testing and when there is a poor fit between the needs of the GPO appliance and the OU design. This method is known as Security Filtering.
The second reason to update your GPO ACL is Delegation. Delegating GPO administration to regional teams can be accomplished by giving the GPO Write permissions. By doing so, you will be able to provision blank GPOs. Then, assign local teams to configure the GPO. In order to enable them to set up security filtering for testing purposes, you can also grant them the authority to change the GPO ACL.
To examine and modify a GPO’s permissions and manage them, use Security Filter and Delegation. The sections “Security Filtering” and “Delegation” are linked as follows:
- The security filtering tab displays the entities that would be influenced by the GPO.
- The delegation tab contains a display of the GPO ACL.
- Any new security filtering entry will appear in the delegation tab as “Read (from Security Filtering)” if it is added. This indicates that the entry was introduced via the Security Filtering tab rather than the Delegation tab.
- The relevant permissions in the Delegation Tab are “Read” and “Apply Group Policy” which are entered through the Security Filtering tab.
- On the other hand, if we create a new entry using the Delegation tab, it won’t show up in the security filtering tab unless it has the “Read” and “Apply Group Policy” permissions. This is due to the requirement that an object has access to both “Read” and “Apply Group Policy” in order to apply a GPO to it.
AD Delegation Best Practices:
- To create a safe IT environment, provide only control to what is required by using a least-privilege delegation model.
- Conduct regular audits by reviewing permissions of users to prevent misuse of control.
- Since weak passwords are frequently the root cause of data breaches, use multi-factor authentication whenever possible to add an extra layer of security.
- In order to prevent security threats, implement a zero trust model in which users and services are not easily trusted and should always face verification and continue to follow security procedures as long as they are a part of the network.
- Inactive accounts should be checked on a regular basis since orphaned accounts with user information and access but no assigned user, allow hackers to potentially attack the network.
When it comes to Group Policy, it’s critical to limit the number of users who can manage the Group Policy Objects. Furthermore, it is critical to control and limit who has access to certain features like unlink, and block inheritance on Organizational Units. Organizations may provide Admin privileges to anybody who requests them since the administrators are not aware of how to delegate Active Directory permissions. This can cause a serious security threat to the network. Fortunately, we can avoid the security concern by using the Delegation of Control wizard to determine security permissions for GPOs. Therefore, it is recommended to delegate control and fine-tune permissions based on the requirement.
People also read