Default GPO Permissions

Written by on Wednesday, March 5, 2008 5:11 - 0 Comments

It is very important to assign appropriate permissions to every GPO you create. Here I list the default permissions given to a new GPO.

I cannot stress enough how important it is to correctly set permissions for the Group Policy Objects you create. In this sense, it is very important that you know what permissions are assigned to a Group Policy Object by default. They are as follows:

Authenticated Users – Read, Apply Group Policy, Special Permissions
Creator Owner – Special Permissions
Domain Administrators – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
Enterprise Administrators – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
Enterprise Domain Controllers – Read, Special Permissions
System – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions

It is also important to know that only the Domain Administrators, Enterprise Administrators, and Group Policy Creator Owner groups have permission to create new GPO’s be default. Any user who needs the ability to create GPO’s will need to be added to one of these groups. It is generally best practice to add these users to the Group Policy Creator Owner group so that they have fill administrative permissions over only the GPO’s they create.

Article written by MyComputerAid.com



Leave a Reply

You must be logged in to post a comment.

2003 server - Sep 30, 2008 22:34 - 0 Comments

instant messaging srv records

More In Computers & PC


Microsoft Outlook - Mar 22, 2009 11:22 - 0 Comments

Outlook: Duplicates in Mailbox

More In Computers & PC