2.4 Creating GPA Service Accounts

GPA uses the following service accounts. Creating these accounts in advance allows you to complete the installation process without interruption.

NOTE:Although it is not required, you should use a service account to install GPA.

GPA Security

Used to access the GP Repository and to publish GPA Server information in AD.

Export Only account

Used for exporting GPOs.

Untrusted Access account

Used for generating reports and any repository update operation in an untrusted domain (migration, sync, retrieving data for mapping entries).

2.4.1 Creating the GPA Security Account

GPA requires the GPA Security account, a service account you specify during the GPA Server installation, to operate.

The GPA Server uses the GPA Security account to access the GP Repository. The GPA Security account also has special permissions on the GP Repository that the GPA Server needs to export GPOs. The GPA Security account also improves change control and auditing by being able to uniquely identify the tasks the GPA Security account performs.

GPA uses the GPA Security account to publish GPA Server information as a Service Connection Point (SCP) in AD during server start up. To do this, the GPA Security account requires specific permissions in each trusted domain where a GPA Console is installed.

Create the GPA Security account before installing GPA and save the user name and password to use when you install the GPA Server. The GPA Security account needs permission to export GPOs from the GP Repository and to write GPOs to Active Directory.

To create the GPA Security account:

  1. Create a user account named GPA Security Account.

  2. Add the GPA Security account to the Domain Admins group. If you do not want to grant the GPA Security account domain administrator permissions, add the account to the global Group Policy Creator Owners group.

  3. Add the following permissions on the CN=System container for the GPA Security account in each trusted domain where a GPA Console is installed:

    • Read Permissions
    • Modify Permissions
    • Read all properties
    • Write all properties
    • Delete subtree
    • Create Container objects
    • Delete Container objects
    • Create serviceConnectionPoint objects
    • Delete serviceConnectionPoint objects
  4. On the computer where you plan to install the GPA Server, add the account to the local Administrators group.

While installing GPA, the setup program configures the GPA Server permission to start and run the GPA Server service by setting the Startup type property to automatic and the Log on as this account property to the GPA Security account.

The setup program also creates a SQL Server login account for the GPA Security account and adds it to the following database roles for the GPA database:

  • Public role

  • netiq_gpr_server role

2.4.2 Creating the Export Only Account

GPA can use an optional service account, the Export Only account, to export GPOs from the GP Repository to Active Directory. Exporting GPOs requires elevated Active Directory permissions that you might not want a GPA user to have.

To overcome this limitation, you can configure GPA to use the GPA Server and an Export Only service account in the domain where you want to export GPOs. If you do not configure GPA to use an Export Only account, GPA uses the credentials of the user logged onto the GPA Console to export GPOs.

You can create the Export Only account before or after installing GPA. You can create an Export Only account for each domain to which you will export GPOs or create a single account across all trusted domains.

If you are managing multiple untrusted domains, create an Export Only account for each untrusted domain.

To create an Export Only account:

  1. Log on to the domain into which you need to export GPOs with an account that has domain administrator permissions.

  2. Create a user account with a name that describes its function, such as GPO Export Only.

  3. Add the Export Only account to the Domain Admins group. Otherwise, if you do not want to grant the Export Only account domain administrator permissions, complete the following steps:

    NOTE:

    • If you do not add the Export Only account to the Domain Admins group, every time you create a GPO in the GP Repository you must modify the GPO to grant the Export Only account all permissions except Apply Group Policy and All Extended Rights.

    • If you want to use one Export Only account across multiple trusted domains, the Export Only account must have domain administrator permissions in each domain.

    1. Add the Export Only account to the global Group Policy Creator Owners group.

    2. In the domain where you want to export GPOs, grant the Export Only account FullEdit permission to all GPOs in Active Directory. Grant these permissions before you import GPOs into the GP Repository. To grant these permissions, run the GrantPermissionOnAllGPOs.wsf GPMC script with the following syntax. GrantPermissionOnAllGPOs.wsf /Permission:FullEdit "AccountName" For more information about GPMC scripts, see the Microsoft documentation at the following Web site: msdn.microsoft.com/en-us/library/aa814151(VS.85).aspx. Note: If you do not set these permissions before importing GPOs, manually set the permissions for each GPO in the GP Repository. For more information, see Knowledge Base article NETIQKB28252 at www.netiq.com/NETIQKB28252.

    3. In the domain where you want to export GPOs, grant the Export Only account permissions to link GPOs to SOM containers (OUs, sites, and the domain). You can grant these permissions by running the SetSOMPermissions.wsf GPMC script with the following syntax: SetSOMPermissions.wsf "SOMName" "AccountName” /Permission:All /Inherit /Domain:DNSNameofDomain Note: If you do not specify the Inherit flag, you will need to run this script for every child SOM container in Active Directory. For more information about GPMC scripts, see the Microsoft documentation at the following Web site: http://msdn.microsoft.com/en-us/library/aa814151(VS.85).aspx.

  4. Configure the GPA Console to use the Export Only account for each domain where you want to export GPOs. If you have multiple untrusted domains, ensure you configure a GPA Console in each untrusted domain to use a different Export Only account. For more information, see Section 3.3.1, Configuring GPA to Use the Export Only and Untrusted Access Accounts.

2.4.3 Creating the Untrusted Access Account

GPA requires an Untrusted Access account for each untrusted domain with GPOs you want to manage. This service account is used to generate reports and perform any repository update operation in an untrusted domain, including, but not limited to, the following operations:

  • Migration

  • Synchronization

  • Retrieving data for mapping entries

You can create the Untrusted Access account before or after installing GPA. Create an Untrusted Access account for each untrusted domain where you want to manage GPOs.

To create an Untrusted Access account:

  1. Log on to the untrusted domain with an account that has domain administrator permissions.

  2. Create a user account with a name that describes its function, such as, GPO Untrusted Access.

  3. Add the Untrusted Access account to the Domain Users group.

  4. Configure the account to have the following permissions to the following container, applied to this object and all its children: %Domain%->FullArmor->FAZAM GP REPOSITORY SERVERS->%SQL SERVER%->SYSTEM->POLICIES:

    • Read

    • Write

    • List Contents

    • Read All Properties

    • Write All Properties

    • Delete

    • Delete Sub-tree

    • Modify Permissions

    • Read Permissions

    • Modify Owner

    • All Validated Writes

    • Create groupPolicyContainer

    • Delete groupPolicyContainer

  5. Configure the GPA Console to use an Untrusted Access account for each untrusted domain. For more information, see Section 3.3.1, Configuring GPA to Use the Export Only and Untrusted Access Accounts.