set default permissions for new group policy objects, issue with preexisting GPOs


  • Update: I found that after re-opening the GPMC and selecting the GPO that I had "Restore[d] Defaults" on / had been giving me issues I now get the following error. When I selected "ok" and then again re-opened the GPMC the Infrastructure Status ACL issues goes away. While this is a fix, it's not as easy as simply having to go to preexising GPOs and simply clicking "Restore Defaults". 

    I recently followed a blog post on Clint Boessen's blog titled "AD Delegation - How to set default permissions for new group policy objects". I'm following his instructions for adding a Domain Local group in a single domain multiple DC environment to the default permissions-set that is added to GPOs when they are created. His instructions work flawlessly with the exception of going to preexisting GPOs and selecting "Restore Defaults" to apply the new ACL to the preexisting GPOs. When I do this I notice after having clicked "Detect Now" under status for the GPO I "Restore[d] Defaults" on there is an ACL issue. In the picture below I’ve “Restored Defaults” on the Default Domain Policy. 

    For the Default Domain Policy, on the delegation tab I can see the group I added via the defaultSecurityDescriptor for CN=Group-Policy-Container (see below). 

    If it helps below are pictures of the GPO's Advanced Security Settings before and after clicking "Restore Defaults". The "Afters" match on both DCs in the environment. 

    also below are the sysVol ACLs of the Default Domain Policy from both DCs.

    • Edited by Joey Piccola Thursday, September 3, 2015 1:06 PM
    Thursday, September 3, 2015 2:39 AM