BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Group Policy Delegation and PowerBroker Desktops

Posted November 10, 2011    Peter McCalister

Group Policy provides powerful controls over desktop configuration, and it includes full delegation capabilities to allow network administrators to delegate Group Policy configuration tasks to others. Since Group Policy has so many powerful capabilities, it is critical to delegate certain tasks to other network administrators, without giving them Domain Admin rights or full edit rights over the entire Group Policy Object (GPO).

PowerBroker Desktops is implemented as a Group Policy extension, and management of PowerBroker Desktops can be delegated to specific individuals, without giving them full edit rights over the entire GPO and all of its settings. To do this, you simply need to deploy Group Policy settings to the users who will be managing PowerBroker Desktops settings. First, you will need to delegate access to the GPO itself to give a user edit rights. This is done on the Delegation tab inside of the Group Policy Management Console as shown below.

shot1

Once you have given the user the ability to edit the GPO, you can restrict the views that the user has inside of the GPO by disabling settings within the Administrative Templates of the Group Policy that will be applied to the delegated user. These settings will restrict what the user can see when editing a GPO. This is important because if a user has full edit rights to a GPO, they can change any setting within it. To restrict the Group Policy Editor, simply disable the following settings, found in the following location: User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once the delegated user has received these policy settings, they will only be able to edit PowerBroker Desktops policy, assuming that the PowerBroker Desktops snap-in extension has been installed on their machine.

Alternatively, you may wish to prevent other network administrators from changing PowerBroker Desktop settings. In this case, you can disable the settings that display the PowerBroker Desktop snap-in extension. These can be found in the following location inside the Group Policy: User Configuration\Administrative Templates\BeyondTrust\PBWD\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy snap-in extensions

Once configured, network administrators who have access to GPOs with PowerBroker Desktops policies within them will not be able to view or edit the policies, but they will still be able to manage native Group Policy settings.

Leave a Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,