The following table lists the various security requirements for using the GP Repository Console.
|
Task |
Security Requirement |
|---|---|
|
Launch console |
SQL permissions: User account must have connect permissions to the Microsoft SQL Server Database containing the GP Repository. |
|
GP Repository Tasks |
|
|
Connect to Database |
SQL permissions: Current user must have SQL user account to connect to GP Repository |
|
Disconnect from Database |
None |
|
Compare GPOs |
None |
|
Generate Activity Report |
None |
|
Add the GP Repository User |
SQL permissions: User account must have Security Admin and Database Owner permissions to the Microsoft SQL Server Database containing the GP Repository. |
|
Add Remote User |
SQL permissions: Current user must have SQL privilege to create new SQL user |
|
New Domain |
Active Directory permissions: Must have permissions in Active Directory to create container |
|
Customize Deployment Options |
GP Repository permissions: Customize Deployment Options permission |
|
Domain Level Tasks |
|
|
Delete Domain |
GP Repository permissions: Delete Domain permission |
|
Compare GPOs |
None |
|
Create Category |
GP Repository permissions: Create Category permission |
|
Edit Domain Maps |
GP Repository permissions: Edit Domain Map permission |
|
Compare GPOs |
None |
|
Set indexing properties GP Repository permissions |
User account must have Full Domain Control (6) in the domain. User account must have Full Domain Control in the domain. |
|
Category Level Tasks |
|
|
Create Category |
GP Repository permissions: Create Category permission |
|
Delete Category |
GP Repository permissions: Delete Category permission |
|
Rename Category |
GP Repository permissions: Rename Category permission |
|
New GPO |
GP Repository permissions: Create GPO permission |
|
Paste as New GPO |
GP Repository permissions: Create GPO permission |
|
Paste GPO Category Link |
GP Repository permissions: Paste GPO Category Link permission |
|
Import GPO from Active Directory (GPO does not exist in GP Repository) |
GP Repository permissions:
|
|
Import GPO from Active Directory (GPO already exists in GP Repository) |
GP Repository permissions:
|
|
GPO Level Tasks |
|
|
Check Out |
GP Repository permissions: Check Out permission and one or more of the following:
|
|
Check In |
GP Repository permissions: Check Out permission |
|
Override Check Out |
GP Repository permissions: Override Check Out permission |
|
View History |
None |
|
Approve Version |
GP Repository permissions: Approve/Unapprove permission |
|
Undo Approve Version |
GP Repository permissions: Approve/Unapprove permission |
|
Send for Approval |
GP Repository permissions: Check Out GPO permission Modify GPO Settings permission |
|
Reject Version |
GP Repository permissions: Approve/Unapprove permission |
|
Compare Active Directory Version |
Active Directory permissions: Read permission on GPO in Active Directory |
|
Differentiate Active Directory Version |
Active Directory permissions: Read permission on GPO in Active Directory |
|
Rollback GPO Version |
GP Repository permissions: Rollback permission |
|
Export GPO to Active Directory (GPO does not exist in Active Directory or GPO already exists in Active Directory) |
The export override account must be a domain user and have the following permissions: Domain SYSVOL permissions: Full Control GP Repository permissions: Full Control Active Directory permissions: Full Control |
|
Synchronize GPO |
GP Repository permissions: Modify GPO permission |
|
Migrate to Category |
GP Repository permissions:
|
|
Migrate to GPO |
GP Repository permissions:
|
|
Delete GPO |
GP Repository permissions: Delete GPO permission in Repository Domain Property page |