Default GPO Permissions
I cannot stress enough how important it is to correctly set permissions for the Group Policy Objects you create. In this sense, it is very important that you know what permissions are assigned to a Group Policy Object by default. They are as follows:
Authenticated Users – Read, Apply Group Policy, Special Permissions
Creator Owner – Special Permissions
Domain Administrators – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
Enterprise Administrators – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
Enterprise Domain Controllers – Read, Special Permissions
System – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
It is also important to know that only the Domain Administrators, Enterprise Administrators, and Group Policy Creator Owner groups have permission to create new GPO’s be default. Any user who needs the ability to create GPO’s will need to be added to one of these groups. It is generally best practice to add these users to the Group Policy Creator Owner group so that they have fill administrative permissions over only the GPO’s they create.
Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. Chris's specialties include general network administration, windows server 2003, wireless networking, and security. You can view Chris' personal website at www.chrissanders.org.