The following table lists the various security requirements for using the GP Repository Console.
Task |
Security Requirement |
---|---|
Launch console |
SQL permissions: User account must have connect permissions to the Microsoft SQL Server Database containing the GP Repository. |
GP Repository Tasks |
|
Connect to Database |
SQL permissions: Current user must have SQL user account to connect to GP Repository |
Disconnect from Database |
None |
Compare GPOs |
None |
Generate Activity Report |
None |
Add the GP Repository User |
SQL permissions: User account must have Security Admin and Database Owner permissions to the Microsoft SQL Server Database containing the GP Repository. |
Add Remote User |
SQL permissions: Current user must have SQL privilege to create new SQL user |
New Domain |
Active Directory permissions: Must have permissions in Active Directory to create container |
Customize Deployment Options |
GP Repository permissions: Customize Deployment Options permission |
Domain Level Tasks |
|
Delete Domain |
GP Repository permissions: Delete Domain permission |
Compare GPOs |
None |
Create Category |
GP Repository permissions: Create Category permission |
Edit Domain Maps |
GP Repository permissions: Edit Domain Map permission |
Compare GPOs |
None |
Set indexing properties GP Repository permissions |
User account must have Full Domain Control (6) in the domain. User account must have Full Domain Control in the domain. |
Category Level Tasks |
|
Create Category |
GP Repository permissions: Create Category permission |
Delete Category |
GP Repository permissions: Delete Category permission |
Rename Category |
GP Repository permissions: Rename Category permission |
New GPO |
GP Repository permissions: Create GPO permission |
Paste as New GPO |
GP Repository permissions: Create GPO permission |
Paste GPO Category Link |
GP Repository permissions: Paste GPO Category Link permission |
Import GPO from Active Directory (GPO does not exist in GP Repository) |
GP Repository permissions:
|
Import GPO from Active Directory (GPO already exists in GP Repository) |
GP Repository permissions:
|
GPO Level Tasks |
|
Check Out |
GP Repository permissions: Check Out permission and one or more of the following:
|
Check In |
GP Repository permissions: Check Out permission |
Override Check Out |
GP Repository permissions: Override Check Out permission |
View History |
None |
Approve Version |
GP Repository permissions: Approve/Unapprove permission |
Undo Approve Version |
GP Repository permissions: Approve/Unapprove permission |
Send for Approval |
GP Repository permissions: Check Out GPO permission Modify GPO Settings permission |
Reject Version |
GP Repository permissions: Approve/Unapprove permission |
Compare Active Directory Version |
Active Directory permissions: Read permission on GPO in Active Directory |
Differentiate Active Directory Version |
Active Directory permissions: Read permission on GPO in Active Directory |
Rollback GPO Version |
GP Repository permissions: Rollback permission |
Export GPO to Active Directory (GPO does not exist in Active Directory or GPO already exists in Active Directory) |
The export override account must be a domain user and have the following permissions: Domain SYSVOL permissions: Full Control GP Repository permissions: Full Control Active Directory permissions: Full Control |
Synchronize GPO |
GP Repository permissions: Modify GPO permission |
Migrate to Category |
GP Repository permissions:
|
Migrate to GPO |
GP Repository permissions:
|
Delete GPO |
GP Repository permissions: Delete GPO permission in Repository Domain Property page |