How to change the default permissions on GPOs in Windows Server

This article discusses how to change the default permissions on Group Policy objects (GPOs).

Original product version: В Windows Server 2012 R2
Original KB number: В 321476

Summary

You may want to strengthen security on GPOs to prevent all but a trusted group of administrators from changing group policy. You can do so by modifying the DefaultSecurityDescriptor attribute on the Group Policy container classScema object. However, the change only affects newly created GPOs. For existing GPOs, you can modify permissions directly on the Group Policy container (CN=,CN=System,DC=domain. ) and Group Policy template (\\domain\SYSVOL\Policies\). This procedure can also help prevent administrative templates (ADM files) in the Group Policy templates from being inadvertently updated by the ADM files on unmanaged workstations.

More information

When a new Active Directory object is created, the permissions that are specified in the DefaultSecurityDescriptor attribute of its classSchema object in the schema are applied to it. Because of this, when a GPO is created, its groupPolicyContainer object receives its ACL from the DefaultSecurityDescriptor attribute in the CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=forestroot. object. The Group Policy editor also applies these permissions to the folder, subfolders, and files in the Group Policy’s template (SYSVOL\Policies\).

You can use the following process to modify the DefaultSecurityDescriptor attribute for the Group Policy Container classSchema object. Because this is a schema change, it starts a full replication for all GCs across the forest. Schema permissions are written by using the Security Descriptor Definition Language (SDDL). For more information about SDDL, visit the following Microsoft Web site:

To modify the DefaultSecurityDescriptor attribute for the Group Policy Container classSchema object:

Log on to the forest schema master domain controller with an account that is a member of the Schema Administrators group.

Start Mmc.exe, and then add the Schema snap-in.

Right-click Active Directory Schema, and then click Operations Master.

Click The Schema may be modified on this domain controller, and then click OK.

Use ADSI Editor to open the schema-naming context, and then locate the CN=Group-Policy-Container object with the classSchema type.

View the properties of the object, and then find the defaultSecurityDescriptor attribute.

Paste the following string into the value to remove write permissions for domain administrators so that only enterprise administrators would have write permissions:

To give an additional group write permissions, append the following text to the end of the previous text:

is the SID of the group to which you’re granting permissions.

Changing the defaultSecurityDescriptor attribute does not modify the security descriptors for any pre-existing GPOs. You may, however, use the above complete string to replace the ACL on pre-existing GPOs in conjunction with a tool such as sdutil.exe.

Paste the new string into the edit attribute box, click Set, click Apply, and then click OK.

If you are trying to restrict access to domain administrators or enterprise administrators you must place a deny in the Default Schema permissions for the Grouppolicycontainer object. These groups will add an addional ACL to the group policy object when it is created. For domain administrators you must add Domain Admins and for enterprise administrators add Administrator. Adding a Deny is the only way to restirict these groups.

Technical support for x64-based versions of Windows

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

Delegate Permissions for Group Policy

This topic describes procedures for an administrator to delegate permissions to others using the GPMC so that they can perform some Group Policy administrative tasks.

Introduction

With GPMC, the following tasks can be delegated:

Create GPOs in a domain.

Set permissions on a GPO.

Set policy-related permissions on site, domain or organizational unit.

Link GPOs to a given site, domain or organizational unit.

Perform Group Policy Modeling analyses on a given domain or organizational unit (but not on a site).

Read Group Policy Results data for objects in a given domain or organizational unit (but not on a site).

Create WMI filters in a domain.

Set permissions on a WMI filter.

GPMC simplifies delegation by managing the various ACEs required for a task as a single bundle of permissions for the task. If you want to see the ACL in detail, you can click the Advanced button on the Delegation tab. The underlying mechanism for achieving delegation is the application of the appropriate DACLs to GPOs and other objects in Active Directory. This mechanism is identical to using security groups to filter the application of GPOs to various users.

You can also specify Group Policy to control the behavior of MMC and MMC snap-ins. For example, you can use Group Policy to manage the rights to create, configure, and use MMC consoles, and to control access to individual snap-ins.

How to delegate permissions for a group or user on a Group Policy Object

To delegate permissions for a group or user on a Group Policy Object

In the Group Policy Management Console (GPMC) console tree, expand the Group Policy Objects node in the forest and domain containing the Group Policy object (GPO) for which you want to add or remove permissions.

In the results pane, click the Delegation tab.

Click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects for which you want to add GPO permissions, and then click OK.

Click Locations, select either Entire Directory or the domain or organizational unit containing the object for which you want to add GPO permissions, and then click OK.

In the Enter the object name to select box, type the name of the object for which you want to add GPO permissions by performing one of the following actions:

If you know the name, type it and then click OK.

To search for the name, click Advanced, type the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.

In the Permissions box of the Add Group or User dialog box, select the appropriate permissions from the drop-down list, and then click OK.

Additional considerations

To perform this procedure, you must have Edit settings, delete, and modify security permissions on the GPO.

Groups and users that have Custom in the Allowed Permissions column in the Groups and users list box on the Delegation tab have permissions that do not match one of the three standard levels of permissions. To view the permissions for groups with custom permissions or to set custom permissions, click Advanced.

You can also click the Delegation tab to change or remove permissions for a group or user on a GPO.

How to delegate permissions to link Group Policy Objects

To delegate permissions to link Group Policy Objects

In the Group Policy Management Console (GPMC) console tree, do one of the following:

To delegate permission to link Group Policy objects (GPOs) to either the domain or an organizational unit (OU), click the domain or the OU.

To delegate permission to link GPOs to a site, click the site.

In the results pane, click the Delegation tab.

In the Permission drop down-list box, select Link GPOs. Click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or OU, and then click OK.

Click Locations, select either Entire Directory or the domain or OU containing the object to which you want to delegate permissions, and then click OK.

In the Enter the object name to select box, enter the name of the object to which you want to delegate permissions by doing one of the following:

If you know the name, type it and then click OK.

To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.

In the Add Group or User dialog box, in the Permissions drop-down list, select the level to which you want permissions to apply for this group or user, and then click OK.

Additional considerations

To delegate permissions to link GPOs to a site, domain, or OU, you must have Modify Permissions on that site, domain, or OU. By default, only Domain Administrators and Enterprise Administrators have this permission.

Users and groups with permission to link GPOs to a specific site, domain, or OU can link GPOs, change link order, and set block inheritance on that site, domain, or OU.

You cannot remove groups and users that inherit permissions from a parent container.

Some entries in the Groups and users drop-down list, such as System, do not have an associated property dialog box, so Properties is unavailable for these entries.

How to delegate permissions for generating Group Policy Modeling data

To delegate permissions for generating Group Policy Modeling data

In the Group Policy Management Console (GPMC) console tree, click the domain or organizational unit (OU) for which you want to delegate Group Policy Modeling permissions.

In the results pane, click the Delegation tab.

In the Permission box, select Perform Group Policy Modeling analyses to add a new group or user to the permissions list**.**

On the Delegation tab, click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or OU, and then click OK.

Click Locations, select either Entire Directory or the domain or OU containing the object to which you want to delegate permissions, and then click OK.

In the Enter the object name to select box, find the name of the object to which you want to delegate permissions by doing one of the following:

If you know the name, type it, and then click OK again.

To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the drop-down list, click OK, and then click OK.

In the Add Group or User dialog box, in the Permissions drop-down list, select the level to which you want permissions to apply for this group or user, and then click OK.

Additional considerations

To delegate permissions to perform Group Policy Modeling analyses for objects in a domain or organizational unit, you must have Modify Permissions on that domain or organizational unit. By default, only domain administrators and enterprise administrators have this permission.

You cannot delegate permission to perform Group Policy Modeling analyses for sites.

You can also use the Delegation tab to change or remove permissions for a group or user for Group Policy Modeling data.

How to delegate permissions to generate Group Policy Results

To delegate permissions to generate Group Policy Results

In the Group Policy Management Console (GPMC) console tree, click the domain or organizational unit (OU) for which you want to delegate permission to generate Group Policy Results.

In the results pane, click the Delegation tab.

In the Permissions drop-down list, select Read Group Policy Results data to add a new group or user to the permissions list.

On the Delegation tab, click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions for the domain, site, or OU, and then click OK.

Select the user or group to which permission should be delegated.

In the Add Group or User dialog box, in the Permissions drop-down list, select the level to which you want permissions to apply for this group or user, and then click OK.

Additional considerations

To delegate permissions to generate Group Policy Results for objects in a domain or OU, you must have Modify Permissions on that domain or OU. By default, only domain administrators and enterprise administrators have this permission.

You cannot delegate permission to generate Group Policy Results for sites.

You can also use the Delegation tab to change or remove permissions for a group or user for Group Policy Results data.

How to delegate permissions for a group or user on a WMI filter

To delegate permissions for a group or user on a WMI filter

In the Group Policy Management Console (GPMC) console tree, click the WMI filter for which you want to delegate permissions.

In the results pane, click the Delegation tab.

Click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects to which you want to delegate permissions on the WMI filter, and then click OK.

Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate permissions, and then click OK.

In the Enter the object name to select box, type the name of the object to which you want to delegate permissions by doing one of the following:

If you know the name, type it and then click OK.

To search for the name, click Advanced, type the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.

In the Add Group or User dialog box, in the Permissions box, select the permissions level you want to assign to the group or user, and then click OK.

Additional considerations

You must have Full Control permissions on a WMI filter to change its permissions.

You cannot remove or change inherited permissions for WMI filters.

All users must have Read access to all WMI filters. Otherwise, Group Policy stops processing when it encounters a WMI filter that cannot be read.

You cannot use the GPMC to remove Read permissions from WMI filters.

WMI Filters are available if at least one domain controller in the domain is running Microsoft WindowsВ ServerВ 2003 or later.

You can also use the delegation tab to change or remove permissions for a group or user for WMI filters.

How to delegate permissions for a Group or User on a Starter GPO

Delegating permissions for a Group or User on a Starter GPO

Open the Group Policy Management Console. Expand the Starter GPOs node.

Click the Starter GPO you want to delegate.

In the results pane, click the Delegation tab.

Click Add.

In the Select User, Computer, or Group dialog box, click Object Types, select the types of objects for which you want to add Starter GPO permissions, and then click OK.

Click Locations, select either Entire Directory or the domain or organizational unit containing the object for which you want to add Starter GPO permissions, and then click OK.

In the Enter the object name to select box, type the name of the object for which you want to add Starter GPO permissions by performing one of the following actions:

If you know the name, type it and then click OK.

To search for the name, click Advanced, type the search criteria, click Find Now, select the name in the list box, click OK, and then click OK again.

In the Permissions box of the Add Group or User dialog box, select the appropriate permissions from the drop-down list, and then click OK.