Just going through an AGPM Installation (Advanced Group Policy Management) where I had to choose an Account for the AGPM Service which can be the Local System Account or a domain user account. Instead of just clicking next next…. I found some good guidance in the Ask the Directory Services Team blog – AGPM Least Privilege Scenario article. Also read Locking down AGPM fit for least privilege.
Never heard of AGPM before ? Then watch this 4-5 minute Tour on Advanced Group Policy Management. And finally here’s a video provided by Kurt Roggen showing how to install the AGPM Server.
With regard to AGPM least privilege… I think one thing missed is Least Privilege on the desktop where the user is functioning. As a Group Policy MVP, I fully understand your point here and the point of the article by Kleef. However, if the user on the desktop can be running as a standard user, but still run AGPM, that is ideal! BeyondTrust PowerBroker Desktops provides this solution! http://www.beyondtrust.com With this solution, you can make any user, IT or not, a standard user and just elevate the processes they need to run.
Derek Melber, MVP