Location: Mail List

Ads

Skyscraper

The GPTalk Mailing List

The GPTALK mailing list is where you can send and receive email related to Windows Group Policy. You must subscribe to the list to send and receive mail from the list. The purpose of the list is to provide a forum for asking and answering technical questions related to Group Policy. Any question is fair game as long as it is related to Windows Group Policy.  The Archives for this list can be found on this page.

 

List Posts

Forums >GPTalk >GPTalk Mailing List
Subject: [gptalk] Starter GPO creation delegation
Prev Next
You are not authorized to post a reply.

AuthorMessages
imprise_serverUser is Offline

Posts:14

02/02/2009 5:00 PM  
Hi all;

As you know, when we create a new Starter GPO, the StartGPO folder is automatically created in the SYSVOL folder. Right? And also the Delegation tab of the Starter GPO in GPMC reflects exactly the NTFS permissions of the StarterGPO folder. Now:

Although the Authenticated Users group cannot create starter gpos, but the interface shows that Authenticated Users can create Starter GPO. What is your opinion?

Thanx

-------------------------------------------------------
Reza Alikhani
Microsoft Certified System Administrator (MCSA on Windows Server 2003)
Microsoft Certified Technology Specialist (MCTS on ISA Server 2006) Microsoft Certified Professional (MCP)
-------------------------------------------------------



omarUser is Offline

Posts:98

02/02/2009 6:06 PM  
Yes- that is deceptive and a cause for security concern.

If you take a closer look at the Default NTFS permissions created on the folder in sysvol you will see that Authenticated users only have basically read and execute at the startgpo folder- (this folder only). So in order for an authenticated user to create a new starter GPO- they would indeed require read and write permissions on that folder.

I dont think there is a security issue here.

The problem is that as long as there is a access control entry on that folder-if that entry has any permission other than a deny permission- it will show up in the GPMC.


Omar Droubi
xxxxxxxxxxxxxxxx<mailto:xxxxxxxxxxxxxxxx>
650-726-0300
________________________________
From: xxxxxxxxxxxxxxxx [xxxxxxxxxxxxxxxx] On Behalf Of Reza Alikhani [xxxxxxxxxxxxxxxx]
Sent: Monday, February 02, 2009 01:54 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Starter GPO creation delegation

Hi all;

As you know, when we create a new Starter GPO, the StartGPO folder is automatically created in the SYSVOL folder. Right? And also the Delegation tab of the Starter GPO in GPMC reflects exactly the NTFS permissions of the StarterGPO folder. Now:

Although the Authenticated Users group cannot create starter gpos, but the interface shows that Authenticated Users can create Starter GPO. What is your opinion?

Thanx

-------------------------------------------------------
Reza Alikhani
Microsoft Certified System Administrator (MCSA on Windows Server 2003)
Microsoft Certified Technology Specialist (MCTS on ISA Server 2006)
Microsoft Certified Professional (MCP)
-------------------------------------------------------



You are not authorized to post a reply.
Forums >GPTalk >GPTalk Mailing List > [gptalk] Starter GPO creation delegation



ActiveForums 3.7

Members

MembershipMembership:
Latest New UserLatest:carmicklec
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:1399
People OnlinePeople Online:
VisitorsVisitors:0
MembersMembers:0
TotalTotal:0
Online NowOnline Now:

Ads

Banner Inv
Copyright 2009 by GPOGUY.COM
Terms Of Use