default permissions on GPO

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

How do you set up the AD so that you have a different default set of
permissions for new GPO's. rather than having to edit the permissions
on the GPO's manually.

is this process the same for the GP Template portion or does that
involve something different.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I don't think you can change the default Permissions. The design is to have
all objects receive the GPOs. Filtering is not something that Microsoft or
anyone else desires... it is only there for when you can't work around a
design issue of your OUs.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Glenn M" <glenn.mantle@bt.com> wrote in message
news:328a5de4.0404220700.5cfa1fbf@posting.google.com...
> How do you set up the AD so that you have a different default set of
> permissions for new GPO's. rather than having to edit the permissions
> on the GPO's manually.
>
> is this process the same for the GP Template portion or does that
> involve something different.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Glenn-
You would have to change the defaultSecurityDescriptor attribute on the
GroupPolicyContainer schema class, as far as I know, to do this. And, if you
did that, I'm not sure if that would be properly reflected in the GPT as I
haven't tested it. Presumably when the GP Editor creates a new GPO, it uses
that defaultSecurityDescriptor to drive both permissioning of the GPC and
GPT, but you'd need to test.

Darren


"Glenn M" <glenn.mantle@bt.com> wrote in message
news:328a5de4.0404220700.5cfa1fbf@posting.google.com...
> How do you set up the AD so that you have a different default set of
> permissions for new GPO's. rather than having to edit the permissions
> on the GPO's manually.
>
> is this process the same for the GP Template portion or does that
> involve something different.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Glenn-
I went ahead and tested this and it worked as expected. I added a group I
created called GPO Admins with Full Control Access to the
defaultSecurityDescriptor attribute on the GPC class in the schema and any
new GPOs that I create have that group permissioned to them in both AD and
SYSVOL. So it looks like it works if you don't mind changing schema stuff.


Darren


"Darren Mar-Elia" <fermentedgrape@yahoo.com> wrote in message
news:utFVr3JKEHA.1120@TK2MSFTNGP11.phx.gbl...
> Glenn-
> You would have to change the defaultSecurityDescriptor attribute on the
> GroupPolicyContainer schema class, as far as I know, to do this. And, if
you
> did that, I'm not sure if that would be properly reflected in the GPT as I
> haven't tested it. Presumably when the GP Editor creates a new GPO, it
uses
> that defaultSecurityDescriptor to drive both permissioning of the GPC and
> GPT, but you'd need to test.
>
> Darren
>
>
> "Glenn M" <glenn.mantle@bt.com> wrote in message
> news:328a5de4.0404220700.5cfa1fbf@posting.google.com...
> > How do you set up the AD so that you have a different default set of
> > permissions for new GPO's. rather than having to edit the permissions
> > on the GPO's manually.
> >
> > is this process the same for the GP Template portion or does that
> > involve something different.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Darren,

Nice work! What do you think would be the other ramifications to this? Any?

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Darren Mar-Elia" <fermentedgrape@yahoo.com> wrote in message
news:u7kBHgKKEHA.204@TK2MSFTNGP10.phx.gbl...
> Glenn-
> I went ahead and tested this and it worked as expected. I added a group I
> created called GPO Admins with Full Control Access to the
> defaultSecurityDescriptor attribute on the GPC class in the schema and any
> new GPOs that I create have that group permissioned to them in both AD and
> SYSVOL. So it looks like it works if you don't mind changing schema stuff.
>
>
> Darren
>
>
> "Darren Mar-Elia" <fermentedgrape@yahoo.com> wrote in message
> news:utFVr3JKEHA.1120@TK2MSFTNGP11.phx.gbl...
> > Glenn-
> > You would have to change the defaultSecurityDescriptor attribute on the
> > GroupPolicyContainer schema class, as far as I know, to do this. And, if
> you
> > did that, I'm not sure if that would be properly reflected in the GPT as
I
> > haven't tested it. Presumably when the GP Editor creates a new GPO, it
> uses
> > that defaultSecurityDescriptor to drive both permissioning of the GPC
and
> > GPT, but you'd need to test.
> >
> > Darren
> >
> >
> > "Glenn M" <glenn.mantle@bt.com> wrote in message
> > news:328a5de4.0404220700.5cfa1fbf@posting.google.com...
> > > How do you set up the AD so that you have a different default set of
> > > permissions for new GPO's. rather than having to edit the permissions
> > > on the GPO's manually.
> > >
> > > is this process the same for the GP Template portion or does that
> > > involve something different.
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I don't think there are too many ramifications. I've heard of other
instances where people change the defaultSecurityDescriptor. I mostly wasn't
sure if the changes would carry into the GPT, but they appear to. The main
challenge is deciphering SDDL, which is how ACEs are represented in that
attribute. Not exactly "friendly" syntax

Darren

"Derek Melber [MVP]" <derekm@braincore.net> wrote in message
news:%238gWVMLKEHA.1892@TK2MSFTNGP09.phx.gbl...
> Darren,
>
> Nice work! What do you think would be the other ramifications to this?
Any?
>
> --
> Derek Melber
> BrainCore.Net
> derekm@braincore.net
> "Darren Mar-Elia" <fermentedgrape@yahoo.com> wrote in message
> news:u7kBHgKKEHA.204@TK2MSFTNGP10.phx.gbl...
> > Glenn-
> > I went ahead and tested this and it worked as expected. I added a group
I
> > created called GPO Admins with Full Control Access to the
> > defaultSecurityDescriptor attribute on the GPC class in the schema and
any
> > new GPOs that I create have that group permissioned to them in both AD
and
> > SYSVOL. So it looks like it works if you don't mind changing schema
stuff.
> >
> >
> > Darren
> >
> >
> > "Darren Mar-Elia" <fermentedgrape@yahoo.com> wrote in message
> > news:utFVr3JKEHA.1120@TK2MSFTNGP11.phx.gbl...
> > > Glenn-
> > > You would have to change the defaultSecurityDescriptor attribute on
the
> > > GroupPolicyContainer schema class, as far as I know, to do this. And,
if
> > you
> > > did that, I'm not sure if that would be properly reflected in the GPT
as
> I
> > > haven't tested it. Presumably when the GP Editor creates a new GPO, it
> > uses
> > > that defaultSecurityDescriptor to drive both permissioning of the GPC
> and
> > > GPT, but you'd need to test.
> > >
> > > Darren
> > >
> > >
> > > "Glenn M" <glenn.mantle@bt.com> wrote in message
> > > news:328a5de4.0404220700.5cfa1fbf@posting.google.com...
> > > > How do you set up the AD so that you have a different default set of
> > > > permissions for new GPO's. rather than having to edit the
permissions
> > > > on the GPO's manually.
> > > >
> > > > is this process the same for the GP Template portion or does that
> > > > involve something different.
> > >
> > >
> >
> >
>
>