[gptalk] Vista Central Store permissions

  • From: "Jason B. Halladay" <jason@xxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Fri, 06 Jul 2007 07:16:07 -0600

We're considering implementing the Vista Central Store for ADMX files in our environment. We have a very distributed OU administration environment where the domain administrators grant administration rights to OU administrators and don't get involved much otherwise save for a few institutional top-level GPOs. OU administrator accounts are members of the Group Policy Creator Owners group so that they can create their own GPOs for their OU. (This is the major reason the central store is appealing---there are hundreds of GPOs in our environment that do the same thing but are created separately for each OU leading to some sysvol bloat.) For security reasons I'm thinking it would be good to only grant read/execute rights on the central store PolicyDefintions folder to the Group Policy Creator Owners group. I realize this would mean only domain administrators would be able to add/remove ADMX templates to this folder but I don't see that being something we'll need to do very often.

Anyone have a different take or opinion on this? I'd appreciate it.

You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/

Other related posts: