[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

default permissions for new group policy objects

our GPO infrastructure has grown over the years and each admin has done its own type of work.
now i have to cleanup all those delegation settings.

what are the default settings and which ones are recommended for having high security?

i know,whenever I create a new GPO the following Active Directory system groups are granted access:
- Authenticated Users
- Domain Admins
- Enterprise Admins

by default.can or should i remove any of these and which ones would make sense to ad?
  • 3
1 Solution
BrandonProject Manager, IT Systems and Software DesignCommented:
Can you be a little more specific. Are you trying to harden desktops, IE, server...etc?
BrandonProject Manager, IT Systems and Software DesignCommented:
Here is a security tool to help you automate your server's security.


Here's another answered question that has more details for the link above.
Joseph MoodyBlogger and wearer of all hats.Commented:
You should not change any of those permissions unless you need to. For example, you may want to limit what objects process a GPO. You would remove authenticated users and add in the objects (or the objects group).

If you are wanting a way to manage who does what with Group policy, look up advanced group policy management.
DukewillNukemAuthor Commented:
ok,i will not change the Default Domain Controller Policy and the Default Domain Policy.
but i want to keep it up to the minimum with all the other GPOs. for that, need the best practice recommendations
BrandonProject Manager, IT Systems and Software DesignCommented:
The links I provided are the MS best practices.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now