Administrating DirectAccess without Domain Admin Privileges

So we had a requirement recently whereby we wanted to restrict the amount of Domain Admins we had in our Active Directory domain. One of the issues we came across is users who aren’t members of Domain Admins not being able to open the Remote Access Management console to administer our DirectAccess implementation. These users received the following error in the console:

Error

“Settings for server DC.contoso.com cannot be retrieved. You do not have permissions to access GPO\GPO Unique ID.”

The error in question is referring to the users permissions (or lack of!) when trying to access the DirectAccess Server and Client Settings GPO’s that are used to store and apply settings to servers and clients. Fortunately there is a way to resolve this without assigning the user Domain Admin privileges. This is ideal for administrators who want to be able to assign the necessary privileges to users who will need to be able to administer their implementation of DirectAccess but not the rest of the Active Directory domain, so these users are not granted with excessive privileges to the entire domain.

We can resolve this issue by assigning the necessary permissions to the user(s). If you have multiple users I recommend creating an Active Directory Security Group for these users so we can assign the permissions to that group, instead of individually adding all the users to the GPO’s.

If you open your Group Policy Management console and find your DirectAccess GPO’s. These should be applied at the site level.

Select either the Client Settings or Server Settings GPO (either is fine as you will need to do both anyway!) then go to delegation, then advanced, then advanced again. You should now be in the advanced/special permissions for one of your DirectAccess GPO’s.

If you select your Domain Admins group and click edit. You shoud see that Domain Admins have pretty much all permissions (except Full Control, All extended rights and Apply group policy by default). We are looking to do the same thing for our security group/users.

Simply click add, select principal and find your user/security group. To get the same amount of permissions as Domain Admins you can tick Full Control, then untick it to save you time. Then just simply untick All extended rights and Apply group policy as we don’t want the GPO’s to apply to these users. The scope of your DirectAccess GPO’s should be your DirectAccess servers and DirectAccess computers/clients, no users. When done, simply click Ok until you are out of all security windows.

Permissions

Now in your Delegation tab on your GPO you should see that your security group has the same permissions as the Domain Admins security group (Edit settings, delete, modify security.)

Permissions 2

Now simply repeat the above steps on your other GPO (Client Settings or Server Settings depending on which you did first).

Then ask your DirectAccess admins to sign out and back into your DirectAccess server(s), then ask them to open the Remote Access Management console. They should see something like this!

Console

Success!

Hope that helps 🙂

Post to Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *