[gptalk] Re: Pre-defining default ACL on newly created GPOs

• From: <bart.schillebeeks@xxxxxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Thu, 11 Jan 2007 17:27:14 +0100

Hi darren, 
 
We have no explicit allows for administrators on lower level ou's, only
full control in the root which is inherited down. 
 
So i presume when i explicitly "DENY" gplink, gpcreate in the root for
administrators as well (inherited), that the inherited "deny" will
override the standard  inherited "allow " on each lower level ou ? 
or is there still a conflict between two inherited rights?
 
Thanks for your great expertise by the way , and best wishes for 2007
;-)
 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised
to state them to be the views of any such entity.This Message is in no
way legally binding and has to be viewed as a personal opinion of the
sender. This message reflects in no way the views of FORTIS BANK and its
associates and AD internet Consulting BVBA and its associates. Unless
otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer
to deal at any price quoted. Any reference to the terms of executed
transactions should be treated as preliminary only and subject to our
formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal
ON:0470419019 www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx


 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, January 10, 2007 8:26 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs



Well, this can get complicated, esp. if you try to manage this at the
domain-level. And, for example, if you set denies at the domain level
that inherit down, then explicit allows set at the OU level will
override these. 

 

What I would suggest, as painful as it sounds, is to set explicit gpLink
and gpOptions denies on the domain Administrators group on each OU that
you want to prevent them linking to. 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: Wednesday, January 10, 2007 8:09 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs

 

Hi darren, Colin, 

 

I have actually kinda the same problem myself but it's not on the
default permissions of the gpo. 

 

We are having problems here because security has populated the domain
local "administrators" group with a lot of level 2 helpdesk memebers. 

This gives them access on all servers as administrator (their job) 

 

However they now can also link/create and unlink the existing gpo's in
AD

 

this is set on the root of the AD for administrators "full control" but
when i want to give a deny access on the specific "gpolinking" right he
wants to split out the entire full control into seperate permissions. 

 

If we do that other functions of AD don't work correctly anymore. 

 

Any way to remove linking and creation permissions for all except
"enterpise admins" ? 

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised
to state them to be the views of any such entity.This Message is in no
way legally binding and has to be viewed as a personal opinion of the
sender. This message reflects in no way the views of FORTIS BANK and its
associates and AD internet Consulting BVBA and its associates. Unless
otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer
to deal at any price quoted. Any reference to the terms of executed
transactions should be treated as preliminary only and subject to our
formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal
ON:0470419019 www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Wednesday, January 10, 2007 3:40 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs

Colin-

The only way to do this actually is to modify the
defaultSecurityDescriptor attribute on the gpcContainer class object in
the AD schema (this is a mod to the instance of a schema in your domain,
not a change to the schema itself). It requires being familiar with
SDDL, but otherwise its pretty straightforward. You might want to  check
out this KB and then let us know if you have questions:

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;321476

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Auld Colin
Sent: Wednesday, January 10, 2007 5:07 AM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs

 

Bart, thanks for the reply -

 

I've tried this, but there is no option on the Group Policy Objects
container which allows the setting of the AC (as far as I can see)..

 

I've dug a bit further and it looks like it might be possible by
modifying the domain level ACL (via the GPMC) - it looks as though I
might have to explicitly allow the Read gPOtion and Write gPOtion
properties via the advanced tab.  This seems a wee bit detailed  - does
anyone know if there is a less detailed way of doing this?

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of bart.schillebeeks@xxxxxxxxxx
Sent: 10 January 2007 12:51
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Pre-defining default ACL on newly created GPOs

Hi colin, 

 

I beleive you set the default editign permissions on

 

Group policy objects container (ou) in GPMC

Tab Delegation.

 

You have to do this for each domain. if this doesn't work you should use
an overall AD delegation object higher in the root. 

 

Vriendelijke groeten,
Cordialement,
Kind Regards, 
Schillebeeks Bart
Active Directory Security Consultant
Small and Departmental Systems - NT Systems Fortis Bank
Bart.schillebeeks@xxxxxxxxxxxxxx
AD Internet Consulting BVBA

Disclaimer:
Any views expressed in this message are those of the individual sender,
except where the message states otherwise and the sender is authorised
to state them to be the views of any such entity.This Message is in no
way legally binding and has to be viewed as a personal opinion of the
sender. This message reflects in no way the views of FORTIS BANK and its
associates and AD internet Consulting BVBA and its associates. Unless
otherwise stated, any pricing information given in this message is
indicative only, is subject to change and does not constitute an offer
to deal at any price quoted. Any reference to the terms of executed
transactions should be treated as preliminary only and subject to our
formal written confirmation.

AD Internet Consulting BVBA, Hezemeer 7, 2430 Eindhout-Laakdal
ON:0470419019 www.adinternet.com mailto:Sales@xxxxxxxxxxxxxx

 

 

 

________________________________

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Auld Colin
Sent: Wednesday, January 10, 2007 1:43 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Pre-defining default ACL on newly created GPOs

Hi, 

Does anyone know if it is possible to set the default ACL which is
applied to newly created GPOs.  Ideally, I'd like to be able to specify
a "GPO Modifier" group with "modify" access to each GPO as it is
created, automatically.

TIA 

Colin 

|* This e-mail, and any attachments, is confidential and for the use of
the addressee only.

|* If you are not the intended recipient, please telephone +44 (0) 1506
408700

 

|* We do not accept legal responsibility for this e-mail or any viruses.

 

|* All e-mails sent and received by us are monitored.

 

|* Contracts cannot be concluded with us by e-mail.

 

|* This message has been sent from a member of the British Energy Group
(the "Group").

 

|* The parent company of the Group is British Energy Group plc,
registered number 270184, and having its registered office at

|* Systems House, Alba Campus, Livingston EH54 7EG

 

= = = = = = = = = = = = = = = = = = = = = = = = =
Fortis disclaimer :
http://www.fortis.be/legal/disclaimer.htm

Privacy policy related to banking activities of Fortis:
http://www.fortisbank.be/legal/privacy_policy.htm
= = = = = = = = = = = = = = = = = = = = = = = = =

• Follow-Ups:
  • [gptalk] Re: Pre-defining default ACL on newly created GPOs
    • From: Darren Mar-Elia

• References:
  • [gptalk] Re: Pre-defining default ACL on newly created GPOs
    • From: Darren Mar-Elia

Other related posts:

• » [gptalk] Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs
• » [gptalk] Re: Pre-defining default ACL on newly created GPOs

1. Home
2. gptalk
3. Archive
4. 01-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---