Sunday, June 3, 2012

Delegating the permission to generate Group Policy Results of Computer Configuration for domain users

By default, domain users cannot generate the "Group Policy Results" or "Resultant Set of Policy" of Computer Configuration due to insufficient permissions. Only users with local administrator rights on the target computer can remotely access Group Policy Results data.

Figure 1: Gpresult of a domain user

Figure 2: The warning of "Resultant Set of Policy"

Figure 3: "Resultant Set of Policy" is being processed

Figure 4: The result of "Resultant Set of Policy"

To allow domain users generating the "Group Policy Results" or "Resultant Set of Policy" of Computer Configuration, we can delegate the permission for domain users by using GPMC. The permission can be assigned in a domain or organization unit level.

Remark: To delegate the permission, make sure the forest functional level of the domain environment is Windows Server 2003 or later.

Goals
Allow the domain user,Terry, reading the "Group Policy Results" of Computer Configuration in "Win7 Workstations" OU.

Lab environment
  • 1 domain controller named DC02 which is installed Windows Server 2008
  • 1 workstation named W701 which is installed Windows 7 is under Win7 Workstation OU
  • 1 server named FS01 which is installed Windows Server 2008 R2 is under Computer container
  • 1 domain user account named Terry

1. On DC02, log in as Domain Administrator.
2. Launch "Group Policy Management Console".
3. Expand "Forest > Domains > Domain Name > Win7 Workstations".


4. Select "Delegation" tab.
5. Next to "Permission", select "Read Group Policy Results data".


6. Click "Add".
7. In "Select User, Computer, or Group" window, enter "Terry".
8. On "Add Group or User" window, next to "Permissions", select "This container and all child containers".


Remark: The child OU of "Win7 workstations" will inherit the permission because "This container and all child containers" is selected.

9. Click "OK".
10. Click "Advanced".
11. Next to "Security", select "Terry".


The "Generate resultant set of policy" permission is granted Terry.

12. Click "Cancel".


Now, Terry can generates the "Group Policy Results" or "Resultant Set of Policy" of Computer Configuration on workstations which  is under "Win7 Workstations" OU.

Test result
1. On W701, log in as Terry.
2. Launch "Command Prompt".
3. Perform "gpresult /r".


The "Group Policy Results" of Computer Configuration can be generated by Terry.

4. Perform "rsop.msc".



When the "Resultant Set of Policy" is being processed, there is no warning message. Terry can generate "Resultant Set of Policy" of Computer Configuration.

5. Log out W701.
6. On FS01, log in as Terry.
7. Launch "Command Prompt".
8. Perform "gpresult /r".



9. Perform "rsop.msc".


Because the "Generate resultant set of policy" permission isn't granted on domain level, Terry cannot generate the "Group Policy Results" or "Resultant Set of Policy" of Computer Configuration.

For more information:
Delegation and policy-related permissions

This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment