default permissions for new group policy objects

our GPO infrastructure has grown over the years and each admin has done its own type of work.
now i have to cleanup all those delegation settings.

what are the default settings and which ones are recommended for having high security?

i know,whenever I create a new GPO the following Active Directory system groups are granted access:
- Authenticated Users
- Domain Admins
- Enterprise Admins
- ENTERPRISE DOMAIN CONTROLLERS
- SYSTEM

by default.can or should i remove any of these and which ones would make sense to ad?
DukewillNukemAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BrandonProject Manager, IT Systems and Software DesignCommented:
Can you be a little more specific. Are you trying to harden desktops, IE, server...etc?
0
BrandonProject Manager, IT Systems and Software DesignCommented:
Here is a security tool to help you automate your server's security.

http://technet.microsoft.com/en-us/library/cc514539.aspx

Here's another answered question that has more details for the link above.
http://www.experts-exchange.com/Security/Operating_Systems_Security/Q_28268122.html
0
Joseph MoodyBlogger and wearer of all hats.Commented:
You should not change any of those permissions unless you need to. For example, you may want to limit what objects process a GPO. You would remove authenticated users and add in the objects (or the objects group).

If you are wanting a way to manage who does what with Group policy, look up advanced group policy management.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DukewillNukemAuthor Commented:
ok,i will not change the Default Domain Controller Policy and the Default Domain Policy.
but i want to keep it up to the minimum with all the other GPOs. for that, need the best practice recommendations
0
BrandonProject Manager, IT Systems and Software DesignCommented:
The links I provided are the MS best practices.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.