[gptalk] Re: Vista Central Store permissions

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 6 Jul 2007 07:25:46 -0700

Jason-
I think this is a reasonable approach. I haven't yet done any testing with
what happens if certain user groups can't read the Central Store when they
fire up GP Editor or GPMC, but it sounds like you will have the bases
covered with your environment so I can't see this as an issue.

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason B. Halladay
Sent: Friday, July 06, 2007 6:16 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Vista Central Store permissions

We're considering implementing the Vista Central Store for ADMX files in 
our environment. We have a very distributed OU administration 
environment where the domain administrators grant administration rights 
to OU administrators and don't get involved much otherwise save for a 
few institutional top-level GPOs.  OU administrator accounts are members 
of the Group Policy Creator Owners group so that they can create their 
own GPOs for their OU. (This is the major reason the central store is 
appealing---there are hundreds of GPOs in our environment that do the 
same thing but are created separately for each OU leading to some sysvol 
bloat.) 
For security reasons I'm thinking it would be good to only grant 
read/execute rights on the central store PolicyDefintions folder to the 
Group Policy Creator Owners group. I realize this would mean only domain 
administrators would be able to add/remove ADMX templates to this folder 
but I don't see that being something we'll need to do very often.

Anyone have a different take or opinion on this? I'd appreciate it.
Thanks,
Jason

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: