[gptalk] Re: Vista Central Store permissions

  • From: "Jason B. Halladay" <jason@xxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 11 Jul 2007 15:58:43 -0600

As a follow-up to this, modifying the permissions on the PolicyDefinitions folder in sysvol to give Group Policy Creator Owners read/exec access to the directory (removed "write") works well and achieves the results we're after. Thanks for the input!

Jason

Jason B. Halladay wrote, on 7/6/2007 9:42 AM:
Darren,
Thanks for your input. I'll be trying this approach out in our development environment here shortly. If I run into "oddness" I'll reply again to this list.
Take care,
Jason

Darren Mar-Elia wrote, on 7/6/2007 8:25 AM:
Jason-
I think this is a reasonable approach. I haven't yet done any testing with what happens if certain user groups can't read the Central Store when they
fire up GP Editor or GPMC, but it sounds like you will have the bases
covered with your environment so I can't see this as an issue.

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Jason B. Halladay
Sent: Friday, July 06, 2007 6:16 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Vista Central Store permissions

We're considering implementing the Vista Central Store for ADMX files in our environment. We have a very distributed OU administration environment where the domain administrators grant administration rights to OU administrators and don't get involved much otherwise save for a few institutional top-level GPOs. OU administrator accounts are members of the Group Policy Creator Owners group so that they can create their own GPOs for their OU. (This is the major reason the central store is appealing---there are hundreds of GPOs in our environment that do the same thing but are created separately for each OU leading to some sysvol bloat.) For security reasons I'm thinking it would be good to only grant read/execute rights on the central store PolicyDefintions folder to the Group Policy Creator Owners group. I realize this would mean only domain administrators would be able to add/remove ADMX templates to this folder but I don't see that being something we'll need to do very often.

Anyone have a different take or opinion on this? I'd appreciate it.
Thanks,
Jason

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/
************************



***********************
You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at http://www.freelists.org/archives/gptalk/
************************


***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: