BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Group Policy Delegation and PowerBroker Desktops

Posted November 10, 2011    Peter McCalister

Group Policy provides powerful controls over desktop configuration, and it includes full delegation capabilities to allow network administrators to delegate Group Policy configuration tasks to others. Since Group Policy has so many powerful capabilities, it is critical to delegate certain tasks to other network administrators, without giving them Domain Admin rights or full edit rights over the entire Group Policy Object (GPO).

PowerBroker Desktops is implemented as a Group Policy extension, and management of PowerBroker Desktops can be delegated to specific individuals, without giving them full edit rights over the entire GPO and all of its settings. To do this, you simply need to deploy Group Policy settings to the users who will be managing PowerBroker Desktops settings. First, you will need to delegate access to the GPO itself to give a user edit rights. This is done on the Delegation tab inside of the Group Policy Management Console as shown below.

shot1

Once you have given the user the ability to edit the GPO, you can restrict the views that the user has inside of the GPO by disabling settings within the Administrative Templates of the Group Policy that will be applied to the delegated user. These settings will restrict what the user can see when editing a GPO. This is important because if a user has full edit rights to a GPO, they can change any setting within it. To restrict the Group Policy Editor, simply disable the following settings, found in the following location: User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once the delegated user has received these policy settings, they will only be able to edit PowerBroker Desktops policy, assuming that the PowerBroker Desktops snap-in extension has been installed on their machine.

Alternatively, you may wish to prevent other network administrators from changing PowerBroker Desktop settings. In this case, you can disable the settings that display the PowerBroker Desktop snap-in extension. These can be found in the following location inside the Group Policy: User Configuration\Administrative Templates\BeyondTrust\PBWD\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once configured, network administrators who have access to GPOs with PowerBroker Desktops policies within them will not be able to view or edit the policies, but they will still be able to manage native Group Policy settings.

Leave a Reply

Additional articles

webinar_ondemand

On Demand Webinar – Why You Still Suck at Patching

Posted March 27, 2015    Lindsay Marsh

On Demand Webinar: Dave Shackleford recounts some of his personal experiences in patch management failure, and breaks down the most critical issues holding many teams back from patching more effectively.

Tags:
,
dave-shackleford-headshot

Why You Still Suck at Patching…and How to Turn Your Life Around

Posted March 25, 2015    Dave Shackleford

Live webinar | March 26, 2015 | 10am PT/1pm ET | Dave Shackleford, SANS Instructor | Why You Still Suck at Patching…and How to Turn Your Life Around

Tags:
, ,
infographic

Privilege Gone Wild 2: Over 25% of Organizations Have No Privileged Access Controls

Posted March 24, 2015    Scott Lang

BeyondTrust recently conducted a survey, with over 700 respondents, to explore how organizations view the risk of misuse from privileged account misuse, as well as trends in addressing and mitigating those risks.

Tags:
,