JSI Tip 5528. How do I change the default permissions on Group Policy Objects in Windows 2000?

Microsoft Knowledge Base Article 321476 contains the following summary:

You may want to strengthen security on Group Policy objects (GPOs) to prevent all but a trusted group of administrators from changing group policy. You can do so by modifying the DefaultSecurityDescriptor attribute on the Group Policy container classScema object. However, the change only affects newly-created GPOs. For existing GPOs, you can modify permissions directly on the Group Policy container (CN=\{GPO_GUID\},CN=System,DC=domain...) and Group Policy template (\\domain\SYSVOL\Policies\\{GPO_GUID\}). This procedure can also help prevent administrative templates (ADM files) in the Group Policy templates from being inadvertently updated by the ADM files on unmanaged workstations.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.