Blog Post

Ask the Directory Services Team
5 MIN READ

AGPM Least Privilege Scenario

NedPyle's avatar
NedPyle
Icon for Microsoft rankMicrosoft
Apr 04, 2019
First published on TechNet on Dec 16, 2008

Mike here again. A customer recently asked how they should configure their Advanced Group Policy Management (AGPM) server using the least amount of privileges. AGPM Program Manager, Michael Kleef, posted a quick task list on his TechNet blog( http://blogs.technet.com/mkleef/archive/2008/11/18/locking-down-agpm-fit-for-least-privilege.aspx ) , but I thought I'd take the opportunity to go into more detail and provided some additional suggestions.


AGPM adds role-based administration, change control, workflow, and granular delegation to Group Policy Management. These features allow you to use AGPM to delegate Group Policy creation, review and deployment to non-administrative users. You can read more information about AGPM by downloading the Advance Group Policy Management Overview whitepaper ( http://go.microsoft.com/fwlink/?LinkId=106067 ).


Least privilege requirements


AGPM least privilege configurations can vary slightly. The variance largely depends on how little of privileges you want to provide to the AGPM Server (actually the service account running the AGPM Service). Regardless, you need to achieve the following four requirements for the AGPM Service to work properly:



  • The AGPM Service account requires full access to the AGPM archive folder

  • The AGPM Service account requires full access to the local computer's temp folder
    (%systemroot%\temp)

  • Full access to GPOs created prior to using AGPM

  • The AGPM Service account must be a member of the Group Policy Creator Owners and Backup Operators Group


The AGPM Service account


There are two options when choosing the AGPM Service account: Local System or an actual domain user account used to run the service. Least privilege scenarios cannot use the Local System account. The AGPM service can only use the Local System account when the service is running on a domain controller. Yes, the AGPM service can run on a domain controller; however, it's highly advisable not to install it on a domain controllers. Domain controllers have a specific purpose in the infrastructure just as Exchange or SQL servers-- domain controllers authenticate users. The last thing you'll want to do is restore a domain controller because your AGPM Server had a problem. I typically suggest naming the service account something intuitive-- like AGPMService .


Archive folder


The AGPM Service requires Full Control of the archive folder. The archive folder is where the AGPM Server keeps a manifest and backups of controlled GPOs. The default archive for AGPM version 3.0 is %ProgramData%\Microsoft\AGPM


Temp folder


The AGPM Service uses GPMC application programming interfaces (APIs) to accomplish many GPO operations. Many of these APIs use the computer's temp folder for temporary storage. You must grant the AGPM Service account Full Control to the computer's temp folder, which is %systemroot%\temp .


Full Access to existing GPOs


AGPM ensures that it has proper ownership and permissions to all controlled GPOs. However, GPOs created before implementing AGPM will not provided adequate permissions to the AGPM Service. For this reason, you'll want give the AGPM Service Full Control to all GPOs that exists prior to implementing AGPM.


Group memberships


The AGPM Service requires membership in two groups: Group Policy Creator Owners and Backup Operators .


Group Policy Creator Owners

By Default, Windows only allows Domain Administrators and Group Policy Creator Owners to create Group Policy objects. The least privilege configuration requires you to make the AGPM Service account a member of Group Policy Creator Owners . Membership in the Group Policy Creator Owners group allows the AGPM service to create Group Policy objects , makes the AGPM Service the owner of the new Group Policy object, and gives it the permissions required to manage the Group Policy object.


Backup Operators

Some of the operations that occur in AGPM mimic the functionality found in backup software. For example, the AGPM service may need to change the owner of a Group Policy object. Granting ownership to a security principal different from yourself is a privileged operations. Including the AGPM service account in the Backup Operators group provides it with the privilege to grant ownership. Backup Operators is a well-known security identifier found on each Windows Server. The AGPM Service attempts to change ownership on Group Policy objects, which are stored on the domain controller. The ownership change operation occurs at the domain controller, so you need to make sure the AGPM Service account is in the Backup Operators group on the domain controllers. Membership to the Backup Operators account on the AGPM Server is not required.


Troubleshooting


You can run across some configuration issue when attempting to configure the AGPM Server in a least privilege scenario. The following are the most common errors seen during an AGPM least privilege scenario.


[GPMC Error] Could not take ownership of the production GPO. Value does not fall within the expected range


Figure 1- Value does not fall within the expected range error


This error is discoverable when attempting to delete a controlled Group Policy object. The error occurs when choosing Delete GPO from archive only or Delete GPO from archive and production .


Solution

The AGPM Service is configured for least privileges and is not a member of Backup Operators on the domain controller. The AGPM service is attempting to grant ownership to a security principal in which it is not allowed. Add the AGPM service account to Backup Operators on the domain controller. Restarting the AGPM service is not a requirement.


[Error] An XML file generated by GPMC cannot be read or may contain invalid or malformed XML.


Figure 2- GpReport.xml error


This error is discoverable when attempting to create a new controlled Group Policy object. There are two major causes of this error


Solution 1:

The AGPM service does not have permissions to the computer's temp folder. Ensure the AGPM service has Full Control to the %systemroot%\temp folder of the computer running the AGPM Server service.


Solution 2:

First, check solution 1. Permissions on the computer's temp folder is root cause of the problem and you'll want to fix that first. If you are still receiving the error after following solution 1 (or temporarily making the AGPM service account a local admin of the computer running the AGPM Server service and restart the service), then the root cause of the problem occurred when you attempted to create your first controlled Group Policy object. The template created during the first controlled GPO creation failed (most likely with the this warning [GPMC Warning] A Report for this GPO could not be created. The backup will not contain any report of the settings Details: 0x80131509 ).



Figure 3- AGPM Templates view


Therefore, all subsequent controlled GPOs created from the template fail with [Error] An XML file generated by GPMC cannot be read or may contain invalid or malformed XML . You need to Delete and Destroy all templates created before you followed solution 1 (permissions on the temp folder). Templates created before following solution 1 contain invalid XML.



Figure 4- Destroying template from AGPM Recycle Bin


After deleting and destroying invalid templates (specifically the <Empty GPO> template), then create a new controlled Group Policy object. You'll be prompted to create a new template. Agree to the create the new template. The operation takes longer than expected; however, it should return successful.


That's all the time we have for this episode of AskDS: AGPM Least Privilege Scenario . Tune in next time to read Ned Pyle's latest saga about DFSR :)


- Mike Stephens

Updated Apr 04, 2019
Version 2.0
  • Air_'s avatar
    Air_
    Copper Contributor

    This is olden but golden. We have a new (don't ask!) AGPM server. When it creates a new policy, it adds the delegation according to the Production Delegation tab. But also adds an Apply permission for the same accounts. This seems like a fault. Can anyone using AGPM confirm if they see the same?