Update the default GPO permissions

This article ( https://support.microsoft.com/en-us/kb/321476) explains how to alter the default permissions on all new GPOs you create however it doesn’t really explain what you are doing which means at best you didn’t learn anything while doing it and at worse didn’t actually achieve what you set out to do.  the article also doesn’t tell you how to deal with all the existing GPOs either and doing this manually is just not going to scale. Doubly worse is that the SDDL they publish is actually incorrect and has errors in it.

The internet is full of mis-information ( hopefully this article is not compounding that )

They tell you to use this SDDL:
D:P(A;CI;RPLCLOLORC;;;DA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)

I’ve highlighted the repeated permissions – clearly that’s not right.

In messing with my system, and people had already been updating the schema before I started meddling too, I realised I could not find the ‘Out of the box’ permissions published anywhere on the tinternet!  So here it is should you need it.  I got this from a default out of the box domain I had lying around :-).

D:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)

Why might I want to change the default GPO permissions?

The main reason is to support the least privilege paradigm.  By default only Domain Admins can create and administer GPOs.  Microsoft thoughtfully set up a special group that allows you to delegate the right to create GPOs called the ‘Group Policy Creator Owners’ Group.  However you also need the right to link group policy to an OU but even then only the person who creates the GPO and the domain admins can administer the GPO.  That’s not particularly good is it?  ( Clint Boessen’s  blog described the problem for you )

Education or dedication, administrator will always do what they think is right so we need to help them get it right first time

These problems can be solved by educating the users that create the GPOs to delegate access to the GPOs to groups.  The issue with that is we are all human.  In a large environment there is little you can do to solve this.  In small environments you can definitely improve on this.  Even in large environments this will improve things by removing the need to be a domain admin to administer all the group policies in your environment.

Set up the AAD groups to delegate EDIT and MANAGE GPO rights

Start by creating three groups in AD, gpo-editGPLink, gpo-editors and gpo-managers.  Add the gpo-editors and gpo-managers groups to the builtin Group Policy Creator Owners group.  This will allow them to create GPOs but not link them.   Delegate the write gpLink to the domain object and add the gpo-Managers group to the gpo-editGPLink  group.

Determine the SDDL you want to add to the default setting

That’s the groups set up now modify the schema ( carefully of course ) so that the two groups are added to all new GPOs.

Consider using the ‘clean’ default above if your schema has already been modified

When I ‘googled’ for the way to do this I only found people delegating how to delegate MODIFY and no one seemed to show the SDDL for an EDIT ACE or how to change the default owner which is Domain Admins by the way.

The method I used was this.

  1. Create a NEW GPO
  2. Use PowerShell to determine the current SDDL
    1. View the GPO in GPMC and select the details tab
    2. Get the UniqueID ( which will be a GUID )
    3. Use the following command
      $(Get-ACL “AD:/<GPOGUID>,CN=Policies,CN=System,DC=AD,DC=COM”).sddl
    4. Save the SDDL in case you need to roll back the changes
    5. Modify the ACL on the NEW GPO adding the EDIT and MODIFY group with appropriate delegation
    6. Set the GPO owner as the MODIFY group
    7. Use the same command as above to grab the new SDDL
    8. it will now have 2 new ACEs with SIDs in, one for the EDIT and MANAGER groups

Check that the owner definition is also updated to one of the SIDs

The SDDL header becomes O:<GroupSID>G:DAD:PAI

Your SDDL should look like this:
O:G:DAD:PAI(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;)(A;CI;CCDCLCRPWPRC;;;)

The Creator Owner SDDL may actually be (A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO) but that’s because it’s applied to a single GPO it should be:
(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO) in the default.

NOTE all we really did was add 2 new ACES to the current default
(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;)
(A;CI;CCDCLCRPWPRC;;;)
and modified the default Owner O:G:DAD:PAI in the SDDL header.

Now update the schema

CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=ad,DC=man,DC=com

Using ADSIEdit.msc and paste the required SDDL into the attribute value.

NOTE: You need to be a schema admin to do this obviously.

The last bit is to reset the permissions on each GPO that already exists and the easy way to do this is to use PowerShell.

Dell publish a script which can be found here.

https://support.software.dell.com/gpoadmin/kb/209382 however this too only adds a single security principle which Dell suggest is the GPO Admin service account.  You can easily modify the script to add both permissions as follows:

 

$domain = “<YourDOmain>”

$Manager = “gpo-Managers”

$editor = “gpo-Editors”

 

function Usage {

Grants the specified service account Edit settings, delete, and modify security and assigns ownership to all the GPOs in the specified domain.

 

GPOADmin.AddServiceAccountToAllGPOs -Domain <string> -ServiceAccount <string>

-Domain: Specifies the DNS name of the domain in which to modify the GPOs.

-ServiceAccount: Specifies the account in domain\user format that will be

granted access to and made the owner of all the GPOs.

 

Example:

GPOADmin.AddServiceAccountToAllGPOs -Domain “MyDomain.com” -ServiceAccount “mydomain\Service Account”

 

exit 1

}

 

 

if( !$Domain -or !$Manager)

{

Usage

}

 

Function UpdateGPOPermissions

{

param( [System.Object] $gpo)

$Script:result = $true

Trap [System.Exception]

{

write-host $_.Exception.Message;

$Script:result = $false

}

# Assign the new permission.

$gpmGPOSecurityInfo = $gpo.GetSecurityInfo()

$gpmGPOSecurityInfo.Add($gpmGPOEditSecurityAndDeletePermission)

$gpmGPOSecurityInfo.Add($gpmGPOEditSecurity)

$gpo.SetSecurityInfo($gpmGPOSecurityInfo)

 

# Make the service account the owner.

$adGPO = new-Object -typename System.DirectoryServices.DirectoryEntry(“LDAP://” + $Domain + “/” +$gpo.Path);

$owner = $adGPO.ObjectSecurity.GetOwner([System.Security.Principal.NTAccount]);

$adGPO.ObjectSecurity.SetOwner( $managerAccount );

$adGPO.CommitChanges();

return $Script:result

}

 

# Create an NTAccount object using the specified service account.

$managerAccount= new-object system.security.principal.ntaccount($Manager)

$editorAccount= new-object system.security.principal.ntaccount($editor)

 

# Create the GPMC Main object.

$gpm = New-Object -ComObject GPMgmt.GPM

 

# Load the GPMC constants.

$gpmConstants = $gpm.GetConstants()

 

# Connect to the domain passed using any DC.

$gpmDomain = $gpm.GetDomain($Domain, “”, $gpmConstants.UseAnyDC)

 

# Create a new empty instance of a search criteria.

$gpmSearchCriteria = $gpm.CreateSearchCriteria()

 

# Perform a search with an empty search criteria to return ALL GPOs.

$gpmGPOs = $gpmDomain.SearchGPOs($gpmSearchCriteria)

 

# Create a new permission granting the service account Edit, Modify Security, and Delete.

$gpmGPOEditSecurityAndDeletePermission = $gpm.CreatePermission($Manager, $gpmConstants.permGPOEditSecurityAndDelete, $true)

$gpmGPOEditSecurity = $gpm.CreatePermission($editor, $gpmConstants.permGPOEdit , $true)

 

# For each GPO…

foreach( $gpmGPO in $gpmGPOs)

{

trap

{

Write-Host $_.Exception.Message;

if( $_.Exception.InnerException -ne $null)

{

Write-Host $_.Exception.InnerException.Message;

}

continue;

}

# Update the status.

Write-Host -NoNewline (“Granting the service account ‘$Manager’ access to the GPO ‘{0}’…” -f $gpmGPO.DisplayName)

# Grant permissions for the current GPO.

$result = UpdateGPOPermissions $gpmGPO

if( $result -eq $true)

{

Write-Host Success!

}

else

{

Write-Host Failed!

}

}

 

 

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.