BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Group Policy Delegation and PowerBroker Desktops

Posted November 10, 2011    Peter McCalister

Group Policy provides powerful controls over desktop configuration, and it includes full delegation capabilities to allow network administrators to delegate Group Policy configuration tasks to others. Since Group Policy has so many powerful capabilities, it is critical to delegate certain tasks to other network administrators, without giving them Domain Admin rights or full edit rights over the entire Group Policy Object (GPO).

PowerBroker Desktops is implemented as a Group Policy extension, and management of PowerBroker Desktops can be delegated to specific individuals, without giving them full edit rights over the entire GPO and all of its settings. To do this, you simply need to deploy Group Policy settings to the users who will be managing PowerBroker Desktops settings. First, you will need to delegate access to the GPO itself to give a user edit rights. This is done on the Delegation tab inside of the Group Policy Management Console as shown below.

shot1

Once you have given the user the ability to edit the GPO, you can restrict the views that the user has inside of the GPO by disabling settings within the Administrative Templates of the Group Policy that will be applied to the delegated user. These settings will restrict what the user can see when editing a GPO. This is important because if a user has full edit rights to a GPO, they can change any setting within it. To restrict the Group Policy Editor, simply disable the following settings, found in the following location: User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once the delegated user has received these policy settings, they will only be able to edit PowerBroker Desktops policy, assuming that the PowerBroker Desktops snap-in extension has been installed on their machine.

Alternatively, you may wish to prevent other network administrators from changing PowerBroker Desktop settings. In this case, you can disable the settings that display the PowerBroker Desktop snap-in extension. These can be found in the following location inside the Group Policy: User Configuration\Administrative Templates\BeyondTrust\PBWD\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once configured, network administrators who have access to GPOs with PowerBroker Desktops policies within them will not be able to view or edit the policies, but they will still be able to manage native Group Policy settings.

Leave a Reply

Additional articles

beyond-trust

PowerBroker for Windows – Most Innovative IAM Solution by Cyber Defense Magazine

Posted April 21, 2015    Scott Lang

PowerBroker for Windows has been selected as a winner by the 2015 Cyber Defense Magazine Awards Program in the category of “Most Innovative Identity and Access Management Solution”.

Tags:
, , ,
pbps-customer-campaign-image

Are you changing your passwords as often as the weather changes?

Posted April 20, 2015    Scott Lang

There is one thing that should change more frequently than the weather: Your privileged passwords. Why? If you’re like more than 25% of companies out there, then your current IT environment contains unmanaged accounts putting you at risk of data breaches and compliance violations, and you don’t have a process to control those accounts.

Tags:
, , , ,
webinar1

On Demand Webinar: Advanced Windows Tracing

Posted April 17, 2015    BeyondTrust Software

Webinar: Security MVP, Paula Januszkiewicz, shows Windows administrators how to be more aware of what happens whenever somebody does something within the system.

Tags:
, ,