[gptalk] Re: Reading apply permissions

Well, you won't see a Apply GP permission on the registry.pol file because
that permission is specific to AD and registry.pol is in the file system.
GPMC comes with a bunch of scripts and you can use the DumpGPOInfo.wsf
script to view the perms. On a given GPO or you can craft your own script to
do if you're comfortable with scripting.

Darren 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Maugris Beauchamps
Sent: Friday, February 16, 2007 3:24 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Reading apply permissions

When I look at the permissions of registry.pol using xcacls, it says a
particular group has read permissions, and indeed they do, but the
group also has Apply Group Policy permissions, which does not show up
in the file's acl at all.

When I look using GPMC, the group has the permissions listed as "Read
(from security filtering"

In the Delegation tab, they show as having Read and Apply.

Is there a command line utility or script that can show the applied
permissions to GPOs?

I would find this useful, because I have policies that apply
generally, but from some specific users, or some specific sub-groups,
I deny the apply permissions to exempt them from the policy's
application.  It would be nice to ensure that all is well before let
the policies go to work.

Thanks,
--MB
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: