Windows Server 2012R2 Changing Default GPO Permissions


  • Hi

    I wish to change the default permissions on GPOs, specifically to revoke write permissions for Domain Admins.

    The article does not appear to apply to Windows 2012R2, is there a version that does?:

    The SDDL suggested by the article for DA is (A;CI;RPLCLOLORC;;;DA)

    This should work, but the OS appears to ignore it and you end up with what I think is this (A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA), which is the default.

    Even setting it to this (A;CI;LCRPLORC;;;DA) has no apparent effect (as does leaving it out altogether).

    Suggestions would be appreciated. Advice on how to educate my client's DAs or telling me it's pointless because DAs can't truly be limited would not.



    Saturday, October 17, 2015 10:53 AM


All replies