As a follow-up to this, modifying the permissions on the PolicyDefinitions folder in sysvol to give Group Policy Creator Owners read/exec access to the directory (removed "write") works well and achieves the results we're after. Thanks for the input!
Jason Jason B. Halladay wrote, on 7/6/2007 9:42 AM:
Darren,Thanks for your input. I'll be trying this approach out in our development environment here shortly. If I run into "oddness" I'll reply again to this list.Take care, Jason Darren Mar-Elia wrote, on 7/6/2007 8:25 AM:Jason-I think this is a reasonable approach. I haven't yet done any testing with what happens if certain user groups can't read the Central Store when theyfire up GP Editor or GPMC, but it sounds like you will have the bases covered with your environment so I can't see this as an issue. Darren -----Original Message-----From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] OnBehalf Of Jason B. Halladay Sent: Friday, July 06, 2007 6:16 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Vista Central Store permissionsWe're considering implementing the Vista Central Store for ADMX files in our environment. We have a very distributed OU administration environment where the domain administrators grant administration rights to OU administrators and don't get involved much otherwise save for a few institutional top-level GPOs. OU administrator accounts are members of the Group Policy Creator Owners group so that they can create their own GPOs for their OU. (This is the major reason the central store is appealing---there are hundreds of GPOs in our environment that do the same thing but are created separately for each OU leading to some sysvol bloat.) For security reasons I'm thinking it would be good to only grant read/execute rights on the central store PolicyDefintions folder to the Group Policy Creator Owners group. I realize this would mean only domain administrators would be able to add/remove ADMX templates to this folder but I don't see that being something we'll need to do very often.Anyone have a different take or opinion on this? I'd appreciate it. Thanks, Jason *********************** You can unsubscribe from gptalk by sending email togptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR bylogging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ ***********************You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/***********************************************You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/************************
*********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************