http://blogs.technet.com/b/mkleef/archive/2008/11/18/locking-down-agpm-fit-for-least-privilege.aspxA few customers have been emailing us. Essentially they want to be able to "lock down" AGPM as a central source of the GP truth and not allow it to have too much access...which is something I always advocate...if it doesnt need Domain Admin access thenen-USTelligent Evolution Platform Developer Build (Build: 5.6.50428.7875)http://blogs.technet.com/b/mkleef/archive/2008/11/18/locking-down-agpm-fit-for-least-privilege.aspx#3169750Tue, 16 Dec 2008 18:58:44 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3169750Ask the Directory Services Team<p>Mike here again. A customer recently asked how they should configure their Advanced Group Policy Management</p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=3169750" width="1" height="1">http://blogs.technet.com/b/mkleef/archive/2008/11/18/locking-down-agpm-fit-for-least-privilege.aspx#3167610Fri, 12 Dec 2008 20:34:01 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3167610Group Policy Team Blog<p>I actually wrote this post awhile ago on my blog and forgot to cross post this to the GP blog. Bad me...though</p> <img src="http://blogs.technet.com/aggbug.aspx?PostID=3167610" width="1" height="1">http://blogs.technet.com/b/mkleef/archive/2008/11/18/locking-down-agpm-fit-for-least-privilege.aspx#3161344Fri, 28 Nov 2008 23:20:33 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3161344Michael Kleef [AppSense]<p>I have a caveat to this. These are the correct permissions to give it and everything works correctly though we have noticed a bug in deletion of a GPO that indicates in the progress UI the deletion failed when in fact it actually succeeds. We are investigating this bug. </p> <p>There are two workarounds:</p> <p>1. Revert back to using Domain Admins for the service account</p> <p>2. Ignore this error in this least privilege configuration</p> <p>I will report back if we find anything of further concern though we havent yet.</p> <div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3161344" width="1" height="1">http://blogs.technet.com/b/mkleef/archive/2008/11/18/locking-down-agpm-fit-for-least-privilege.aspx#3161195Fri, 28 Nov 2008 20:57:10 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3161195Nick Thompson<p>Hurrah.. we've been wondering what rights to give our Service Account.</p><div style="clear:both;"></div><img src="http://blogs.technet.com/aggbug.aspx?PostID=3161195" width="1" height="1">