This article describes how to delegate non-administrative users the ability to be able to add a package into policy.
Behavior Explanation: Allow Non-administrative users to add a Package to policy
When using the Group Policy Editor you might get an error like "Failed to put policy in policy store". Alternatively you might not be able to edit the group policy object at all.
Non-Administrative users can not by default assign packages to policy.
Example of creating a user that is able to add MGS packages to group policy
1. Log on to ManageSoft Warehouse as the domain administrator - "Administrator".
2. Created a user that will for purpose of adding packages".
3. Create a Group called "MGS Packagers"
3. Make user from step 2 a member of "MGS Administrators" and "MGS Distributors" group.
4. Make user from step 2 a member of "MGS Packagers".
5. Make user from step 2 a member of "Group Policy Creator Owners". (this is an existing AD group)
6. Opened the "Default Domain Controllers Policy".
Opened - Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment
Log on Locally
Added the <Domain Name>\MGS Packagers to this GPO setting.
o NB If this setting is currently configured as not defined you must insure that in addition to adding <Domain Name>\MGS Packagers you add ALL other users and groups to this setting. Failing to do this may result and making it impossible to log on to the machine at the console.
7. Create OU Structure that will server as the location where package will be added to policy.
Office
City
Dept.
8. By default the following groups have access to this GPO.
Account operators (<Domain>\Account operators) Administrators (<Domain>\Administrators) Authenticated Users Domain Admins (<Domain>\Domain Admins) Enterprise Admins (<Domain>\Enterprise Admins) Pre-Windows 2000 Compatible Access (VMWARE\Pre-Windows 2000 Compatible Access) Print Operators (VMWARE\Print Operators) SYSTEM
Account operators (<Domain>\Account operators)
Blank
Administrators (<Domain>\Administrators)
Read (from parent)
Write (from parent)
Create Child Objects (from parent)
Authenticated Users
Read
Domain Admins (<Domain>\Domain Admins)
Full Control
Read
Write
Create All Child Objects
Delete All Child Objects
Enterprise Admins (<Domain>\Enterprise Admins)
Full Control (from parent)
Read (from parent)
Write (from parent)
Create All Child Objects (from parent)
Delete All Child Objects (from parent)
Pre-Windows 2000 Compatible Access (VMWARE\Pre-Windows 2000 Compatible Access)
Blank
Print Operators (VMWARE\Print Operators)
Blank
SYSTEM
Full Control
Read
Write
Create All Child Objects
Delete All Child Objects
9. Delegated "MGS Packagers" group to the City.
Specifically right click on the OU "City" - "Delegate Control..."
Welcome to the Delegation of Control Wizard - Click Next.
Users or Groups - Select one or more users or groups to whom you want to delegate control.
Click Add... Select "MGS Packagers" click Next.
Tasks to Delegate - Select "Manage Group Policy links"
The wizard will then display "Completing the Delegation of Control Wizard" - Click Finish.
10. This will add the "MGS Packagers" to the "City" and "Dept" GPO.
11. Added the Welcome package to a GPO under "City". Also boot strapped the client to install the MGS Managed device package.
12. I then distributed the package and schedule and policy files but did not update the database.
13. I then logged in as Administrator and ran the scheduled task "Merge ManageSoft policies"
This would run on a schedule over time to update the MGS database.
14. Loaded up the client and it bootstrapped and installed the package.
Comments