Right, if you're adding a new sec. descriptor, you're not interested in overwriting one of the existing ones. This article does a pretty good job of explaining how to form SDDL strings. It is not trivial, but do-able. What I do suggest is to copy and paste the existing string into a text file somewhere before you make your change, just so you have a backup of it. If you have problems with it, post what you're using here and we can help. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Auld Colin Sent: Wednesday, January 10, 2007 9:33 AM To: 'gptalk@xxxxxxxxxxxxx' Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs Bart - See the link Darren supplied earlier. This suggests you can remove / add groups by modifying the default security descriptor of the Group Policy Container schema object. Darren - This is an extract from the document: To modify the DefaultSecurityDescriptor attribute for the Group Policy Container classSchema object: 1. Log on to the forest schema master domain controller with an account that is a member of the Schema Administrators group. 2. Start Mmc.exe, and then add the Schema snap-in. 3. Right-click Active Directory Schema, and then click Operations Master. 4. Click The Schema may be modified on this domain controller, and then click OK. 5. Use ADSI Editor to open the schema-naming context, and then locate the CN=Group-Policy-Container object with the classSchema type. 6. View the properties of the object, and then find the defaultSecurityDescriptor attribute. 7. Paste the following string into the value to remove write permissions for domain administrators so that only enterprise administrators would have write permissions: D:P(A;CI;RPLCLOLORC;;;DA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)(A;CI;RPWPCCD CLCLOLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC; ;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU) To give an additional group write permissions, append the following text to the end of the previous text: (A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;Group_SID) Note that Group_SID is the SID of the group to which you are granting permissions. Note For Windows Server 2003, paste the follow string in the defaultSecurityDescriptor attribute: D:P(A;CI;RPLCLOLORC;;;DA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)(A;CI;RPWPCCD CLCLOLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC; ;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED) My question is this - I want to append a group to the existing ACL (i.e. I don't want to remove Domain Admins or any group already on the ACL). So I shouldn't carry out step 7 above - right? If that is the case, how do I add just the required group... I'll have a look at the SDDL stuff tonight, but I can't say I'm looking forwards to it :) Thanks for your help Colin ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [ <mailto:gptalk-bounce@xxxxxxxxxxxxx> mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of bart.schillebeeks@xxxxxxxxxx Sent: 10 January 2007 16:09 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs Hi darren, Colin, I have actually kinda the same problem myself but it's not on the default permissions of the gpo. We are having problems here because security has populated the domain local "administrators" group with a lot of level 2 helpdesk memebers. This gives them access on all servers as administrator (their job) However they now can also link/create and unlink the existing gpo's in AD this is set on the root of the AD for administrators "full control" but when i want to give a deny access on the specific "gpolinking" right he wants to split out the entire full control into seperate permissions. If we do that other functions of AD don't work correctly anymore. Any way to remove linking and creation permissions for all except "enterpise admins" ? Vriendelijke groeten, Cordialement, Kind Regards, Schillebeeks Bart Active Directory Security Consultant Small and Departmental Systems - NT Systems Fortis Bank Bart.schillebeeks@xxxxxxxxxxxxxx AD Internet Consulting BVBA Disclaimer: Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.This Message is in no way legally binding and has to be viewed as a personal opinion of the sender. This message reflects in no way the views of FORTIS BANK and its associates and AD internet Consulting BVBA and its associates. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation. AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 www.adinternet.com <mailto:Sales@xxxxxxxxxxxxxx> mailto:Sales@xxxxxxxxxxxxxx ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [ <mailto:gptalk-bounce@xxxxxxxxxxxxx> mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, January 10, 2007 3:40 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs Colin- The only way to do this actually is to modify the defaultSecurityDescriptor attribute on the gpcContainer class object in the AD schema (this is a mod to the instance of a schema in your domain, not a change to the schema itself). It requires being familiar with SDDL, but otherwise its pretty straightforward. You might want to check out this KB and then let us know if you have questions: <http://support.microsoft.com/default.aspx?scid=kb;en-us;321476> http://support.microsoft.com/default.aspx?scid=kb;en-us;321476 Darren From: gptalk-bounce@xxxxxxxxxxxxx [ <mailto:gptalk-bounce@xxxxxxxxxxxxx> mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Auld Colin Sent: Wednesday, January 10, 2007 5:07 AM To: 'gptalk@xxxxxxxxxxxxx' Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs Bart, thanks for the reply - I've tried this, but there is no option on the Group Policy Objects container which allows the setting of the AC (as far as I can see).. I've dug a bit further and it looks like it might be possible by modifying the domain level ACL (via the GPMC) - it looks as though I might have to explicitly allow the Read gPOtion and Write gPOtion properties via the advanced tab. This seems a wee bit detailed - does anyone know if there is a less detailed way of doing this? ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [ <mailto:gptalk-bounce@xxxxxxxxxxxxx> mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of bart.schillebeeks@xxxxxxxxxx Sent: 10 January 2007 12:51 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs Hi colin, I beleive you set the default editign permissions on Group policy objects container (ou) in GPMC Tab Delegation. You have to do this for each domain. if this doesn't work you should use an overall AD delegation object higher in the root. Vriendelijke groeten, Cordialement, Kind Regards, Schillebeeks Bart Active Directory Security Consultant Small and Departmental Systems - NT Systems Fortis Bank Bart.schillebeeks@xxxxxxxxxxxxxx AD Internet Consulting BVBA Disclaimer: Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of any such entity.This Message is in no way legally binding and has to be viewed as a personal opinion of the sender. This message reflects in no way the views of FORTIS BANK and its associates and AD internet Consulting BVBA and its associates. Unless otherwise stated, any pricing information given in this message is indicative only, is subject to change and does not constitute an offer to deal at any price quoted. Any reference to the terms of executed transactions should be treated as preliminary only and subject to our formal written confirmation. AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal ON:0470419019 www.adinternet.com <mailto:Sales@xxxxxxxxxxxxxx> mailto:Sales@xxxxxxxxxxxxxx ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [ <mailto:gptalk-bounce@xxxxxxxxxxxxx> mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Auld Colin Sent: Wednesday, January 10, 2007 1:43 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Pre-defining default ACL on newly created GPOs Hi, Does anyone know if it is possible to set the default ACL which is applied to newly created GPOs. Ideally, I'd like to be able to specify a "GPO Modifier" group with "modify" access to each GPO as it is created, automatically. TIA Colin |* This e-mail, and any attachments, is confidential and for the use of the addressee only. |* If you are not the intended recipient, please telephone +44 (0) 1506 408700 |* We do not accept legal responsibility for this e-mail or any viruses. |* All e-mails sent and received by us are monitored. |* Contracts cannot be concluded with us by e-mail. |* This message has been sent from a member of the British Energy Group (the "Group"). |* The parent company of the Group is British Energy Group plc, registered number 270184, and having its registered office at |* Systems House, Alba Campus, Livingston EH54 7EG