M100718: Delegating policy editing rights in ManageSoft


This article describes how to delegate rights to edit ManageSoft policy information in Active Directory to members of a particular security group. For the purposes of this discussion, the security group to whom rights are being delegated is named MGS Policy Administrators; however any security group can be used as appropriate for your scenario. 
The description of this procedure assumes that you are familiar with standard Active Directory interfaces and processes regarding editing and managing security settings on Group Policy Objects.

Configuring rights to edit policies

After a policy has been created using whatever interface and rights you normally use to do that operation, rights to edit the policy can be delegated to the MGS Policy Administrators group by follow this procedure.

These steps will need to be done by somebody with rights to configure security settings on the policy; Domain Administrator rights are typically sufficient to do that, although exact details on the minimum rights required will depend on the configuration of your policy.

  1. View the properties of the group policy (using normal Active Directory Users and Computers or Group Policy Editor interfaces), select the Security tab, and add the MGS Policy Administrators group to the ACL for the policy:
  2. Click the Advanced button to edit advanced security settings for the policy.
  3. In the Advanced Security Settings dialog, select the MGS Policy Administrators permission entry group and click Edit and configure details for that entry as follows:
    1. Set Apply onto to This object and all child objects.
    2. Check every check box in the Permissions list except Full Control, Delete Subtree, All Extended Rights and Apply Group Policy.

    The Permission Entry dialog should open.

  4. In Active Directory Users and Computers, ensure that the Advanced Features menu option is selected (marked with a check) under the View menu so that the CN=System contain appears under your domain.
  5. Find the group policy to which you are delegating rights under the CN=Policies,CN=System container and check whether the CN=ManageSoft container exists under that policy.
  6. If the CN=ManageSoft structure already exists under the policy, grant full access rights to MGS Policy Administrators on the following containers under the CN=ManageSoft container:
    • CN=Packages,CN=Default,CN=Deployment Plans,CN=Machine
    • CN=Packages,CN=Default,CN=Deployment Plans,CN=User
    This step does not need to be performed if the CN=ManageSoft structure does not exist under the policy.

Configuring rights to maintain security groups for package and policy filtering

Depending on how you create and manage security groups used for filtering who policies and packages in policies apply to, you may want to consider delegating group management rights to the organizational unit used to hold these groups. By default this organizational unit is OU=Application Groups,OU=ManageSoft in the root of your domain.

This type of delegation can be achieved by a user who is able to delegate rights to the relevant organizational unit as follows:

  1. Check whether the OU=Application Groups,OU=ManageSoft organizational unit (or whatever container you are using to hold your filtering security groups) exists; if it does not, create it.
  2. Using Active Directory Users and Computers, right click on the organizational unit and select Delegate Control…
  3. Click Next to proceed past the Welcome page of the delegation wizard to advance to the Users or Groups page.
  4. Click Add..., select the MGS Policy Administrators group and click Next.
  5. On the Tasks to Delegate wizard page, Select Create, delete and manage groups and Modify the membership of a group. Click Next.
  6. Click Finish to close the wizard.


The success of the above configuration steps can be validated by executing the following steps while logged on as a user who is a member of the MGS Policy Administrators security group:
  1. Attempt to add and remove a package in the configured policy with and without security filtering in the package.
  2. Attempt to add, delete and change membership in groups in the OU=Application Groups,OU=ManageSoft organizational unit (or wherever the appropriate location is for your environment).

Known issues

ManageSoft versions prior to 7.5 are affected by a problem where package level security filtering settings on a package in policy can only be edited by the user who originally added the package to the policy if users without Domain Administrator rights are involved in editing policy.

For further technical details about the underlying cause of this issue, see Microsoft Knowledge Base Article 323749.

The ManageSoft versions 7.5 and later contain a workaround for this issue.


In a multi-domain configuration, you may want to allow users in one domain (DOMA) to edit policies in another domain (DOMB). In this scenario:
  1. Configure the DOMB\MGS Policy Administrators group and security settings as described above in domain B (the domain containing the policy).
  2. Ensure that DOMB trusts DOMA.
  3. Add appropriate user accounts from DOMA in to the DOMB\MGS Policy Administrators group.


Powered by Zendesk