GPA enables you to define who can use GPA, what tasks each user can perform, and what parts of your Active Directory environment users can modify, down to the GPO level. To accomplish this level of control, GPA uses a security model with two levels:
Authentication
Access control
Authentication establishes the first layer of security in the GPA user security model. Authentication confirms the identity of any user trying to connect to a GP Repository with a GPA Console. You must explicitly identify users to whom you want to provide access to the GP Repository. The GP Repository supports both Microsoft Windows and SQL Server authentication so users in both environments can connect and work with the GP Repository.
Microsoft Windows authentication enables GPA users to take advantage of a single logon. With single logon, users who are already logged on to the domain need not supply their user name and password again when starting the GPA Console or connecting to the GP Repository from the GPA Console. In addition, you can use Active Directory user and group accounts instead of creating and managing additional SQL Server accounts.
When you are managing GPOs in untrusted domains, you must connect to the GP Repository using SQL Server authentication. Since the GP Repository cannot validate the Microsoft Windows credentials of a GPA Console user in an untrusted domain, GPA must rely upon SQL Server credentials you have configured in the GP Repository. GPA uses these SQL Server credentials to establish a connection between a GPA Console in an untrusted domain and the GP Repository.
Your organization may configure its SQL Servers to use only Microsoft Windows authentication. You need to configure the SQL Server instance for the GP Repository to allow mixed mode authentication. Mixed mode authentication enables both Microsoft Windows and SQL Server authentication.
All GPA users, whether they connect to the GP Repository with Microsoft Windows or SQL Server authentication, must have Microsoft Windows credentials recognized as valid by the GP Repository. The GP Repository uses the Microsoft Windows credentials of the user in the untrusted domain to assign specific access control to the user in GPA. You use the Remote User Login wizard to add Microsoft Windows credentials for users from untrusted domains to the GP Repository. For more information about adding users from untrusted domains, see Setting Up Untrusted Domains.
The second layer in the GPA Security model is granting authenticated users specific permissions to perform the various tasks available in GPA. Authorizing users or groups to perform tasks in GPA is access control. Access control enables you to precisely define users who are able to perform particular tasks. Additionally, you can define access control for individual objects in the GP Repository, including domains, categories, and individual GPOs.
You define access control for users and groups by granting permissions for GPA tasks for every object in the GP Repository. By defining a specific set of permissions for GPA users, you can limit users to tasks appropriate for their job roles. For example, assign permissions to modify GPOs to users whose job is to define and maintain GPOs. Assign GPO approval permissions to users whose job is to approve changes to GPOs.