Group Policy Administrator (GPA) provides a comprehensive security model to ensure the safety and reliability of your Active Directory environment when you are using GPA to manage Group Policy. This security model, implemented in the GPA Repository, enables you to enforce a secure workflow for creating, modifying, testing, approving, and deploying GPOs to your production Active Directory environment. GPA enforces security over GPO changes in a number of ways:
GPA defines the specific tasks or roles a user can perform, as well as the domains, categories, and GPOs each GPA user can work with.
Using the Export Only account limits the user accounts that need Active Directory permissions to modify GPOs.
Using the Untrusted Access account limits the user accounts that need access to untrusted domains to run reports or perform GPA operations such as migrations, synchronizations, or retrieving mapping data.
Each GPA Console uses a Repository Authorization Code to connect to the GP Repository.
The GPA Security account limits the ability to change the Repository Authorization Code.
Using GPA allows you to control where a GPO Editor can link a GPO to specific AD containers.
The following sections explain how GPA enforces security over GPO change management.