[gptalk] Re: Pre-defining default ACL on newly created GPOs

  • From: Auld Colin <colin.auld@xxxxxxxxxxxxxxxxxx>
  • To: "'gptalk@xxxxxxxxxxxxx'" <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 10 Jan 2007 13:07:16 -0000

Bart, thanks for the reply -
I've tried this, but there is no option on the Group Policy Objects
container which allows the setting of the AC (as far as I can see)..
I've dug a bit further and it looks like it might be possible by modifying
the domain level ACL (via the GPMC) - it looks as though I might have to
explicitly allow the Read gPOtion and Write gPOtion properties via the
advanced tab.  This seems a wee bit detailed  - does anyone know if there is
a less detailed way of doing this?


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: 10 January 2007 12:51
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs

Hi colin, 
I beleive you set the default editign permissions on
Group policy objects container (ou) in GPMC
Tab Delegation.
You have to do this for each domain. if this doesn't work you should use an
overall AD delegation object higher in the root. 

Vriendelijke groeten,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
AD Internet Consulting BVBA

Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised to
state them to be the views of any such entity.This Message is in no way
legally binding and has to be viewed as a personal opinion of the sender.
This message reflects in no way the views of FORTIS BANK and its associates
and AD internet Consulting BVBA and its associates. Unless otherwise stated,
any pricing information given in this message is indicative only, is subject
to change and does not constitute an offer to deal at any price quoted. Any
reference to the terms of executed transactions should be treated as
preliminary only and subject to our formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019
www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx <mailto:Sales@xxxxxxxxxxxxxx>



From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Auld Colin
Sent: Wednesday, January 10, 2007 1:43 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Pre-defining default ACL on newly created GPOs


Does anyone know if it is possible to set the default ACL which is applied
to newly created GPOs.  Ideally, I'd like to be able to specify a "GPO
Modifier" group with "modify" access to each GPO as it is created,



|* This e-mail, and any attachments, is confidential and for the use of the
addressee only.

|* If you are not the intended recipient, please telephone +44 (0) 1506


|* We do not accept legal responsibility for this e-mail or any viruses.


|* All e-mails sent and received by us are monitored.


|* Contracts cannot be concluded with us by e-mail.


|* This message has been sent from a member of the British Energy Group (the


|* The parent company of the Group is British Energy Group plc, registered
number 270184, and having its registered office at

|* Systems House, Alba Campus, Livingston EH54 7EG


Other related posts: