Posted on October 12, 2016 · Posted in Active Directory, Group Policies

How to Change Default Permissions for New GPOs

Getting back to the problems related to the break of GPO processing after the installation of the updates from MS16-072 (KB3163622) security bulletin, I’d like to tell about another important thing. As you remember, in order to make GPO Security Filtering work correctly after you install this update on clients, you have to manually edit all policies that use Security Filtering and grant Read permissions to the Domain Computers  on the Delegation tab (or completely switch to Item-Level Targeting). But what to do with the new policies? Will you really have to edit ACLs of any new GPO manually?

Fortunately, not. You can edit default permissions in the ACL template that is used when creating a new GPO. This ACL is stored in defaultSecurityDescriptor attribute of Group-Policy-Container object in the AD schema. Let’s consider how to modify the AD schema to create new polices with the specific permissions. In our example, we need to add Read permission for the Domain Computers group.

Note. To make changes to the Active Directory schema, your account has to be a member of the Schema Admins group.

Important. Be very attentive when making changes to the AD schema!

  1. If AD tools are installed on your server, start ADSIEdit.msc console. Select Action-> Connect to from the menu and connect to the AD schema naming context of your domain (Schema)ADSIEdit.msc console
  2. In the schema tree, go to CN=Schema, CN=Configuration and find CN=Group-Policy-Container on the right pane.CN=Group-Policy-Container
  3. Double-click this container and find defaultSecurityDescriptor attribute. The permissions applied to the newly created GPOs are stored in the  SDDL (Security Descriptor Definition Language) format.
  4. Select the SDDL string and copy it to the Notepad (then you’ll be able to get back to the default value).

    By default, the following groups have privileges for GPOs:

    • Authenticated Users
    • Domain Admins
    • Enterprise Admins
    • SYSTEM
    • Add the following value to the end of the SDDL string: (A;CI;LCRPLORC;;;DC)

    Note. What does this string mean?

    Access type: A = Access Allowed

    ACE flag: CI = Container Inherit


    LC = List Contents
    RP = Read All Properties
    LO = List Object
    RC = Read Permissions

    Access subject: DC = Domain Computers

  5. Save the changes
  6. To apply the changes, reload the schema. To do it, open the mmc console and add the AD Schema snap-in (if there is no such snap-in, register the regsvr32 schmmgmt.dll library and restart the mmc console). Right-click Active Directory Schema and select Reload the SchemaReload the Schema

Now try to create a new GPO and make sure that Read privileges for the Domain Computers group have appeared in the Delegation tab.

new gpo permission

Note. This change relates only to new GPOs, and the privileges of the existing policies have to be edited manually.

Related Articles