Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Group Policy Delegation and PowerBroker Desktops

Posted November 10, 2011    Peter McCalister

Group Policy provides powerful controls over desktop configuration, and it includes full delegation capabilities to allow network administrators to delegate Group Policy configuration tasks to others. Since Group Policy has so many powerful capabilities, it is critical to delegate certain tasks to other network administrators, without giving them Domain Admin rights or full edit rights over the entire Group Policy Object (GPO).

PowerBroker Desktops is implemented as a Group Policy extension, and management of PowerBroker Desktops can be delegated to specific individuals, without giving them full edit rights over the entire GPO and all of its settings. To do this, you simply need to deploy Group Policy settings to the users who will be managing PowerBroker Desktops settings. First, you will need to delegate access to the GPO itself to give a user edit rights. This is done on the Delegation tab inside of the Group Policy Management Console as shown below.


Once you have given the user the ability to edit the GPO, you can restrict the views that the user has inside of the GPO by disabling settings within the Administrative Templates of the Group Policy that will be applied to the delegated user. These settings will restrict what the user can see when editing a GPO. This is important because if a user has full edit rights to a GPO, they can change any setting within it. To restrict the Group Policy Editor, simply disable the following settings, found in the following location: User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once the delegated user has received these policy settings, they will only be able to edit PowerBroker Desktops policy, assuming that the PowerBroker Desktops snap-in extension has been installed on their machine.

Alternatively, you may wish to prevent other network administrators from changing PowerBroker Desktop settings. In this case, you can disable the settings that display the PowerBroker Desktop snap-in extension. These can be found in the following location inside the Group Policy: User Configuration\Administrative Templates\BeyondTrust\PBWD\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once configured, network administrators who have access to GPOs with PowerBroker Desktops policies within them will not be able to view or edit the policies, but they will still be able to manage native Group Policy settings.

Leave a Reply

Additional articles


Scottrade Breach: Identified by Federal Officials

Posted October 5, 2015    Morey Haber

Late afternoon on October 2nd, news leaked out of another large security breach, now at Scottrade. The identity count of records, in the millions again (4.6 million is the latest). This breach comes on the second day of national CyberSecurity month, the first being Experian/T-Mobile breach.

3d image Data Breach issues concept word cloud background

Experian/T-Mobile Data Breach: When 2 Days is not Enough

Posted October 2, 2015    Morey Haber

On October 1, Experian admitted full responsibility for the loss of T-Mobile customer data. 15 million user records dating back to 2013 were effected in the breach, with data including sensitive information that may be decryptable like social security numbers and drivers licenses.


Who Moved My Front Door? (What is Privileged Account Management?)

Posted October 1, 2015    Nigel Hedges

Not too long ago, I was sitting in a room with a very fluffy sales guy. In between words such as “we’ll make this happen” and “leave it with me, I’ll get it sorted” he asked the question “What is Privileged Account Management”?