Archived from groups: microsoft.public.win2000.group_policy (
More info?)
I don't think there are too many ramifications. I've heard of other
instances where people change the defaultSecurityDescriptor. I mostly wasn't
sure if the changes would carry into the GPT, but they appear to. The main
challenge is deciphering SDDL, which is how ACEs are represented in that
attribute. Not exactly "friendly" syntax
Darren
"Derek Melber [MVP]" <derekm@braincore.net> wrote in message
news:%238gWVMLKEHA.1892@TK2MSFTNGP09.phx.gbl...
> Darren,
>
> Nice work! What do you think would be the other ramifications to this?
Any?
>
> --
> Derek Melber
> BrainCore.Net
> derekm@braincore.net
> "Darren Mar-Elia" <fermentedgrape@yahoo.com> wrote in message
> news:u7kBHgKKEHA.204@TK2MSFTNGP10.phx.gbl...
> > Glenn-
> > I went ahead and tested this and it worked as expected. I added a group
I
> > created called GPO Admins with Full Control Access to the
> > defaultSecurityDescriptor attribute on the GPC class in the schema and
any
> > new GPOs that I create have that group permissioned to them in both AD
and
> > SYSVOL. So it looks like it works if you don't mind changing schema
stuff.
> >
> >
> > Darren
> >
> >
> > "Darren Mar-Elia" <fermentedgrape@yahoo.com> wrote in message
> > news:utFVr3JKEHA.1120@TK2MSFTNGP11.phx.gbl...
> > > Glenn-
> > > You would have to change the defaultSecurityDescriptor attribute on
the
> > > GroupPolicyContainer schema class, as far as I know, to do this. And,
if
> > you
> > > did that, I'm not sure if that would be properly reflected in the GPT
as
> I
> > > haven't tested it. Presumably when the GP Editor creates a new GPO, it
> > uses
> > > that defaultSecurityDescriptor to drive both permissioning of the GPC
> and
> > > GPT, but you'd need to test.
> > >
> > > Darren
> > >
> > >
> > > "Glenn M" <glenn.mantle@bt.com> wrote in message
> > > news:328a5de4.0404220700.5cfa1fbf@posting.google.com...
> > > > How do you set up the AD so that you have a different default set of
> > > > permissions for new GPO's. rather than having to edit the
permissions
> > > > on the GPO's manually.
> > > >
> > > > is this process the same for the GP Template portion or does that
> > > > involve something different.
> > >
> > >
> >
> >
>
>