E.2 GP Explorer Requirements

The following table lists the various security requirements for using the GP Explorer Console.

Task

Security Requirement

Launch console

View GPO

  1. GPA uses the current user account to connect to the domain. To use another user account for the connection:

    Save the console as an MMC file.

    Right‑click on the console file.

    Click Run As.

    Every user account is a member of Authenticated Users by default. Therefore, GPA displays all GPOs that have Read permission set for the current user or authenticated user account.

Create GPO

User account must be a member of one of the following groups:

  • Domain Administrators

  • Enterprise Administrators

  • Group Policy Creator Owners

Delete GPO

User account must have Delete all child objects setting on the GPO.

Search GPO

Result of the search displays only those GPOs that have the Read permission set for the current user account.

Backup GPO

User account must have Read permissions on the GPOs and the LSDOU associated with the GPOs.

Restore GPO

User account must be a member of one of the following groups:

  • Domain Administrators

  • Enterprise Administrators

  • Group Policy Creator Owners

Link GPO to OU

Modify security filters

Domain Administrator and Enterprise Administrator accounts have permission to modify OU links and security filters. Other user accounts must have Delegated permission. To assign Delegated permission, use the Delegation of Control wizard in the Active Directory Users and Computers console.

Copy, paste, import GPO

User account must be a member of one of the following groups:

  • Domain Administrators

  • Enterprise Administrators

  • Group Policy Creator Owners

GPO report

User account must have Read permission to the GPOs.

Set indexing properties

GP Repository permissions

User account must have Full Domain Control (6) in the domain.

User account must have Full Domain Control in the domain.