[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 409
  • Last Modified:

default permissions for new group policy objects

our GPO infrastructure has grown over the years and each admin has done its own type of work.
now i have to cleanup all those delegation settings.

what are the default settings and which ones are recommended for having high security?

i know,whenever I create a new GPO the following Active Directory system groups are granted access:
- Authenticated Users
- Domain Admins
- Enterprise Admins
- ENTERPRISE DOMAIN CONTROLLERS
- SYSTEM

by default.can or should i remove any of these and which ones would make sense to ad?
0
DukewillNukem
Asked:
DukewillNukem
  • 3
1 Solution
 
BrandonProject Manager, IT Systems and Software DesignCommented:
Can you be a little more specific. Are you trying to harden desktops, IE, server...etc?
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
Here is a security tool to help you automate your server's security.

http://technet.microsoft.com/en-us/library/cc514539.aspx

Here's another answered question that has more details for the link above.
http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_28268122.html
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
You should not change any of those permissions unless you need to. For example, you may want to limit what objects process a GPO. You would remove authenticated users and add in the objects (or the objects group).

If you are wanting a way to manage who does what with Group policy, look up advanced group policy management.
0
 
DukewillNukemAuthor Commented:
ok,i will not change the Default Domain Controller Policy and the Default Domain Policy.
but i want to keep it up to the minimum with all the other GPOs. for that, need the best practice recommendations
0
 
BrandonProject Manager, IT Systems and Software DesignCommented:
The links I provided are the MS best practices.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now