Monday, August 8, 2011

AD Delegation - How to set default permissions for new group policy objects

When setting up Active Directory delegation, you want administrators to be able to maintain Group Policy without being a Domain Admin. If you read TechNet, Microsoft tells you to use Group Policy Creator Owners, please see:

Lets test it. We have a user named Jess. Jess is only a member of the domain users group. We add Jess to "Group Policy Creator Owners". Jess creates a group policy object called "Jess's Policy". Great, it worked. If we look at the permissions of "Jess's Policy" in group policy management console (GPMC), we see that she has permissions to the group policy object.

Jess does not have permissions to modify or edit any other group policy objects.

The problem with Group Policy Creator Owners

Lets say you have 10 administrators that need to make group policy changes. You add the 10 administrators to Group Policy Creator Owners. One administrator creates a group policy object. The others cannot read or modify the group policy object as only the administrator that created the group policy object owns it. The administrator that created the group policy object must remember to grant the other administrators access to the group policy object. This process needs to re-occur every time an administrator creates a new group policy object.

I don't know why Microsoft recommends to use this approach for group policy delegation as it is not feasible.

The Solution

Change the template permissions in Active Directory!

By default whenever you create a new GPO the following Active Directory system groups are granted access:
- Authenticated Users
- Domain Admins
- Enterprise Admins

These permissions are the "default" permission template for newly created group policy objects. We can add additional custom groups to this template by modifying the Active Directory Schema Partition.

To do this use ADSIEdit and connect to the Schema Partition.

View the properties for CN=Group-Policy-Contrainer

The defaultSecurityDescriptor attribute contains the security template for all new group policy objects. By default the defaultSecurityDescriptor looks like this:


Schema permissions are written by using the Security Descriptor Definition Language (SDDL).

Note: These SID's will be different in your environment as the beginning of a SID is unique to the given domain.

The beginning of each ACL states what permissions are set over the group or username entry. The second part shows the SID of the group/user account.

I have created a group called AD-GPO-M that I want to add to the template permissions to ensure they get applied to all new group policy objects. We added the following to the end of my SDDL on the defaultSecurityDescriptor attribute. This is the SID that is append to the AD-GPO-M security group.


On the CN=Group-Policy-Contrainer Active Directory object, the defaultSecurityDescriptor attribute now reads:


Now when I created a new group policy object (GPO) called "Test PCI Member Server" the following permissions were granted by default:

This has now given your non-domain admins who are a member of this group permissions to administer this new group policy object.

For any existing group policy objects they will not currently have access, however you can reset permissions to default which will pull the permissions down from the defaultSecurityDescriptor attribute.

Where are these permissions set?

Permissions for your group policy objects are maintained in two locations.
- Active Directory
- SYSVOL policies container

Whenever you make a change to permissions on a group policy object in group policy management console (GPMC) it will modify permissions on both the Active Directory object and SYSVOL.

In Active Directory the group policy objects are stored under your domain partition --> System --> Policies.

Caution for Multi-Domain Forest

In a multi-domain forest, your administrator account may reside in a Child Domain. You may be nested in the Schema Admins group in the forest root domain. When you use ADSIEdit to modify the CN=Group-Policy-Contrainer on the schema partition you may receive the following error:

Operation failed. Error code: 0x202b
A referral was returned from the server.

0000202B: RefErr: DSID-030A0B09, data 0, 1 access points
ref 1:

I found you need to connect to the schema master in your forest root domain to make this change in ADSIEdit. This resolved the problem.


  1. Hello

    Thx for this article !

  2. What a site yar? Really good work. I am your new visitor. Now only I have got your site through Google. I am stay tuned here for your next blog.

  3. This comment has been removed by the author.

  4. This comment has been removed by the author.

  5. This comment has been removed by the author.

  6. Hello colleagues, its fantastic paragraph regarding tutoringand entirely defined, keep it up all the time.

    Feel free to surf to my blog post ... Nike Air Max

  7. Clint - excellent blog. Followed the steps and delegated our access so we can work on getting rid of our DA rights. You may want to add that you need to be a DA and a Schema Admin to perform all these steps. You also have to connect to the Schema Master to change the securitydescriptor.

    Here's a PS script to then grant and push the permissions down.
    Set-GPPermissions -DomainName $domain -All -TargetName $group -TargetType Group -PermissionLevel GpoEditDeleteModifySecurity

    My one question revolves around the WMI filters. How can you delegate the permissions in the same way? I've looked at the ADSI Schema entry of GPC-WQL-Filter, GP-Options, Group-Policy-Container, but I must be missing it.

    Thanks again - very helpful,

  8. My defaultSecurityDescriptor seems a bit different to yours, I have (A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA), you have (A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;DA), should I still add my new group with the string you have above? Or should I match it to what my DA string has?

    Also, can you achieve the same result by open AD Schema, choose Classes, open properties of "groupPolicyContrainer", choose "Default Security" tab, and adding the new group in there with read\write permissions? (Add is greyed out for me, I assume since I'm not using a Schema Admin account)

  9. Bosch Security Systems has its state-of-the-art demo cum training academy at Bengaluru. This academy aims to bring the highest level of manufacturer training to the industry, to improve product knowledge and competency.

    Oxford Security