default permissions for new group policy objects

Posted on 2014-08-20
Last Modified: 2014-08-28
our GPO infrastructure has grown over the years and each admin has done its own type of work.
now i have to cleanup all those delegation settings.

what are the default settings and which ones are recommended for having high security?

i know,whenever I create a new GPO the following Active Directory system groups are granted access:
- Authenticated Users
- Domain Admins
- Enterprise Admins

by default.can or should i remove any of these and which ones would make sense to ad?
Question by:DukewillNukem
    LVL 3

    Expert Comment

    Can you be a little more specific. Are you trying to harden desktops, IE, server...etc?
    LVL 3

    Expert Comment

    Here is a security tool to help you automate your server's security.

    Here's another answered question that has more details for the link above.
    LVL 21

    Accepted Solution

    You should not change any of those permissions unless you need to. For example, you may want to limit what objects process a GPO. You would remove authenticated users and add in the objects (or the objects group).

    If you are wanting a way to manage who does what with Group policy, look up advanced group policy management.

    Author Comment

    ok,i will not change the Default Domain Controller Policy and the Default Domain Policy.
    but i want to keep it up to the minimum with all the other GPOs. for that, need the best practice recommendations
    LVL 3

    Expert Comment

    The links I provided are the MS best practices.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    Suggested Solutions

    We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
    This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
    This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now