How do you set up the AD so that you have a different default set of
permissions for new GPO's. rather than having to edit the permissions
on the GPO's manually.

is this process the same for the GP Template portion or does that
involve something different.

I don't think you can change the default Permissions. The design is to have
all objects receive the GPOs. Filtering is not something that Microsoft or
anyone else desires... it is only there for when you can't work around a
design issue of your OUs.

--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Glenn M" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> How do you set up the AD so that you have a different default set of
> permissions for new GPO's. rather than having to edit the permissions
> on the GPO's manually.
>
> is this process the same for the GP Template portion or does that
> involve something different.

Glenn-
You would have to change the defaultSecurityDescriptor attribute on the
GroupPolicyContainer schema class, as far as I know, to do this. And, if you
did that, I'm not sure if that would be properly reflected in the GPT as I
haven't tested it. Presumably when the GP Editor creates a new GPO, it uses
that defaultSecurityDescriptor to drive both permissioning of the GPC and
GPT, but you'd need to test.

Darren


"Glenn M" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> How do you set up the AD so that you have a different default set of
> permissions for new GPO's. rather than having to edit the permissions
> on the GPO's manually.
>
> is this process the same for the GP Template portion or does that
> involve something different.

Glenn-
I went ahead and tested this and it worked as expected. I added a group I
created called GPO Admins with Full Control Access to the
defaultSecurityDescriptor attribute on the GPC class in the schema and any
new GPOs that I create have that group permissioned to them in both AD and
SYSVOL. So it looks like it works if you don't mind changing schema stuff.
:-)

Darren


"Darren Mar-Elia" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Glenn-
> You would have to change the defaultSecurityDescriptor attribute on the
> GroupPolicyContainer schema class, as far as I know, to do this. And, if
you
> did that, I'm not sure if that would be properly reflected in the GPT as I
> haven't tested it. Presumably when the GP Editor creates a new GPO, it
uses
> that defaultSecurityDescriptor to drive both permissioning of the GPC and
> GPT, but you'd need to test.
>
> Darren
>
>
> "Glenn M" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > How do you set up the AD so that you have a different default set of
> > permissions for new GPO's. rather than having to edit the permissions
> > on the GPO's manually.
> >
> > is this process the same for the GP Template portion or does that
> > involve something different.
>
>

Darren,

Nice work! What do you think would be the other ramifications to this? Any?

--
Derek Melber
BrainCore.Net
(E-Mail Removed)
"Darren Mar-Elia" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Glenn-
> I went ahead and tested this and it worked as expected. I added a group I
> created called GPO Admins with Full Control Access to the
> defaultSecurityDescriptor attribute on the GPC class in the schema and any
> new GPOs that I create have that group permissioned to them in both AD and
> SYSVOL. So it looks like it works if you don't mind changing schema stuff.
> :-)
>
> Darren
>
>
> "Darren Mar-Elia" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Glenn-
> > You would have to change the defaultSecurityDescriptor attribute on the
> > GroupPolicyContainer schema class, as far as I know, to do this. And, if
> you
> > did that, I'm not sure if that would be properly reflected in the GPT as
I
> > haven't tested it. Presumably when the GP Editor creates a new GPO, it
> uses
> > that defaultSecurityDescriptor to drive both permissioning of the GPC
and
> > GPT, but you'd need to test.
> >
> > Darren
> >
> >
> > "Glenn M" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > How do you set up the AD so that you have a different default set of
> > > permissions for new GPO's. rather than having to edit the permissions
> > > on the GPO's manually.
> > >
> > > is this process the same for the GP Template portion or does that
> > > involve something different.
> >
> >
>
>

I don't think there are too many ramifications. I've heard of other
instances where people change the defaultSecurityDescriptor. I mostly wasn't
sure if the changes would carry into the GPT, but they appear to. The main
challenge is deciphering SDDL, which is how ACEs are represented in that
attribute. Not exactly "friendly" syntax :-)

Darren

"Derek Melber [MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Darren,
>
> Nice work! What do you think would be the other ramifications to this?
Any?
>
> --
> Derek Melber
> BrainCore.Net
> (E-Mail Removed)
> "Darren Mar-Elia" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Glenn-
> > I went ahead and tested this and it worked as expected. I added a group
I
> > created called GPO Admins with Full Control Access to the
> > defaultSecurityDescriptor attribute on the GPC class in the schema and
any
> > new GPOs that I create have that group permissioned to them in both AD
and
> > SYSVOL. So it looks like it works if you don't mind changing schema
stuff.
> > :-)
> >
> > Darren
> >
> >
> > "Darren Mar-Elia" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > Glenn-
> > > You would have to change the defaultSecurityDescriptor attribute on
the
> > > GroupPolicyContainer schema class, as far as I know, to do this. And,
if
> > you
> > > did that, I'm not sure if that would be properly reflected in the GPT
as
> I
> > > haven't tested it. Presumably when the GP Editor creates a new GPO, it
> > uses
> > > that defaultSecurityDescriptor to drive both permissioning of the GPC
> and
> > > GPT, but you'd need to test.
> > >
> > > Darren
> > >
> > >
> > > "Glenn M" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > How do you set up the AD so that you have a different default set of
> > > > permissions for new GPO's. rather than having to edit the
permissions
> > > > on the GPO's manually.
> > > >
> > > > is this process the same for the GP Template portion or does that
> > > > involve something different.
> > >
> > >
> >
> >
>
>