none
Windows Server 2012R2 Changing Default GPO Permissions

    Question

  • Hi

    I wish to change the default permissions on GPOs, specifically to revoke write permissions for Domain Admins.

    The article https://support.microsoft.com/en-us/kb/321476 does not appear to apply to Windows 2012R2, is there a version that does?:

    The SDDL suggested by the article for DA is (A;CI;RPLCLOLORC;;;DA)

    This should work, but the OS appears to ignore it and you end up with what I think is this (A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA), which is the default.

    Even setting it to this (A;CI;LCRPLORC;;;DA) has no apparent effect (as does leaving it out altogether).

    Suggestions would be appreciated. Advice on how to educate my client's DAs or telling me it's pointless because DAs can't truly be limited would not.

    TIA

    JamesDS

    Saturday, October 17, 2015 10:53 AM

Answers

All replies