Managing Group Policy
One GPO can be used to configure the security on all computers in a site, domain, or OU. This makes securing the management of Group Policy itself very important. For example, an administrator of an OU could exempt computers and users in the OU from receiving Group Policy settings configured at the domain level if that administrator has the ability to manage Group Policy. When implementing security in your forest, you must consider the management of Group Policy.
Default Group Policy Permissions
By default, several groups have administrative authority over Group Policy. These settings may or may not be appropriate for your organization. Table 5-4 describes the permissions for managing Group Policy.
Permission | Object | Description |
Full Control | GPO | Gives full control over the GPO to the user account or security group |
Write | GPO | Enables the user account or security group to modify the settings in the GPO |
Read | GPO | Enables the user account or security group to read the setting in the GPO |
Apply Group Policy | GPO | Enables the user account or security group to have the GPO processed during the initial logon or refresh cycle |
Link Group Policy (gPLink) | Container | Enables the user account or security group to link a GPOs to the container |
Read Group Policy Options (gPOptions) | Container | Enables the user account or security group to block the inheritance of GPOs to the container |
By default, the groups Domain Admins, Enterprise Admins, Creator Owner, and Local System have Full Control permissions over all GPOs linked to domains and OUs. The groups Enterprise Admins and Authenticated Users have Read and Apply Group Policy permissions. The groups Enterprise Admins, Creator Owners, and Local System have Full Control permissions over GPOs linked to a site.
Delegating Group Policy Management
In Active Directory, you can delegate the permissions to manage Group Policy either by using the Delegation of Authority Wizard or by using the Security tab of the Properties dialog box of a GPO or container object. Delegation of authority in Active Directory is flexible enough to allow you to grant administrative control over GPOs according to the security requirements of your organization.
Adding Users to the Group Policy Creator Owners Group
By default, members of the Domain Admins and Group Policy Creator Owners security groups can create new GPOs in their home domain. Although members the Group Policy Creator Owners security group can create new GPOs, they do not have the permission to link the GPO to a container. After a member of the Group Policy Creator Owners security group has created a GPO and it has been linked to a container, that user account retains the explicit permissions to modify the GPO. Other members of the Group Policy Creator Owners security group do not have any permissions on GPOs created by other members of the group.
gPLink Permission
User accounts that have the Write gPLink permission can link existing GPOs to the container for which they possess this permission. User accounts that have been granted Write or Full Control permissions over a domain or OU container possess this permission by default. This permission does not allow the user account to create new GPOs.
gPOptions Permission
User accounts that have the Write gPOptions permission can enable the Block Inheritance option of a domain or OU container. User accounts that have been granted Write or Full Control permissions over a domain or OU container possess this permission by default. Possessing this permission does not grant the user account any additional permissions on GPOs.