[gptalk] Re: GPO Permissions

  • From: "Jakob H. Heidelberg" <jakob@xxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 1 Feb 2008 14:25:03 +0100

Well, you are mentioning the important ones. There's a minor difference
between 2000 and 2003/2008 permission requirements.

You should take a deeper look at the defaultSecurityDescriptor entry, KB
321476 - this entry handles permissions on newly created GPOs - so it's
"knows" what's neede :)


Have fun!
/Jakob H. Heidelberg

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Neil Berry
Sent: 1. februar 2008 11:30
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO Permissions

Hi all,

I wonder if anyone could help me with this.  I am trying to reduce 
access to the GPOs in a specific environment and want to trim the 
permissions to a minimum without breaking anything !

I was intending to reduce permissions to the following

Authenticated Users : Read
Domain Admins: Full control
Enterprise Admins: Full Control
Group Policy Creator: Edit, delete, modify

But it looks like the following might be required ?

System : Full control
Enterprise Domain controllers: read

Are there any other specific permission requirements that anyone knows 
about for particular policies ?

Thanks for any thoughts.
Neil



***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: