default permissions on GPO

[Glenn M]

How do you set up the AD so that you have a different default set of
permissions for new GPO's. rather than having to edit the permissions
on the GPO's manually.

is this process the same for the GP Template portion or does that
involve something different.

 

[Derek Melber [MVP]]

I don't think you can change the default Permissions. The design is to have
all objects receive the GPOs. Filtering is not something that Microsoft or
anyone else desires... it is only there for when you can't work around a
design issue of your OUs.

 

[Darren Mar-Elia]

Glenn-
You would have to change the defaultSecurityDescriptor attribute on the
GroupPolicyContainer schema class, as far as I know, to do this. And, if you
did that, I'm not sure if that would be properly reflected in the GPT as I
haven't tested it. Presumably when the GP Editor creates a new GPO, it uses
that defaultSecurityDescriptor to drive both permissioning of the GPC and
GPT, but you'd need to test.

Darren

 

[Darren Mar-Elia]

Glenn-
I went ahead and tested this and it worked as expected. I added a group I
created called GPO Admins with Full Control Access to the
defaultSecurityDescriptor attribute on the GPC class in the schema and any
new GPOs that I create have that group permissioned to them in both AD and
SYSVOL. So it looks like it works if you don't mind changing schema stuff.


Darren

 

[Derek Melber [MVP]]

Darren,

Nice work! What do you think would be the other ramifications to this? Any?

 

[Darren Mar-Elia]

I don't think there are too many ramifications. I've heard of other
instances where people change the defaultSecurityDescriptor. I mostly wasn't
sure if the changes would carry into the GPT, but they appear to. The main
challenge is deciphering SDDL, which is how ACEs are represented in that
attribute. Not exactly "friendly" syntax

Darren