Getting back to the problems related to the break of GPO processing after the installation of the updates from MS16-072 (KB3163622) security bulletin, I’d like to tell about another important thing. As you remember, in order to make GPO Security Filtering work correctly after you install this update on clients, you have to manually edit all policies that use Security Filtering and grant Read permissions to the Domain Computers on the Delegation tab (or completely switch to Item-Level Targeting). But what to do with the new policies? Will you really have to edit ACLs of any new GPO manually?
Fortunately, not. You can edit default permissions in the ACL template that is used when creating a new GPO. This ACL is stored in defaultSecurityDescriptor attribute of Group-Policy-Container object in the AD schema. Let’s consider how to modify the AD schema to create new polices with the specific permissions. In our example, we need to add Read permission for the Domain Computers group.
- If AD tools are installed on your server, start ADSIEdit.msc console. Select Action-> Connect to from the menu and connect to the AD schema naming context of your domain (Schema)
- In the schema tree, go to CN=Schema, CN=Configuration and find CN=Group-Policy-Container on the right pane.
- Double-click this container and find defaultSecurityDescriptor attribute. The permissions applied to the newly created GPOs are stored in the SDDL (Security Descriptor Definition Language) format.
- Select the SDDL string and copy it to the Notepad (then you’ll be able to get back to the default value).
By default, the following groups have privileges for GPOs:
- Authenticated Users
- Domain Admins
- Enterprise Admins
- ENTERPRISE DOMAIN CONTROLLERS
- Add the following value to the end of the SDDL string: (A;CI;LCRPLORC;;;DC)
- Save the changes
- To apply the changes, reload the schema. To do it, open the mmc console and add the AD Schema snap-in (if there is no such snap-in, register the regsvr32 schmmgmt.dll library and restart the mmc console). Right-click Active Directory Schema and select Reload the Schema
Now try to create a new GPO and make sure that Read privileges for the Domain Computers group have appeared in the Delegation tab.