Modifying Permissions on Group Policy Objects
2/9/2009
This topic describes optional steps for modifying permissions on Group Policy objects. The /enablegpsecurity parameter may be used during the ADConfig setup process to modify permissions on Group Policy objects (GPOs). This section is optional and performed automatically if you use the /enablegpsecurity parameter. However, if you want to perform these functions manually, the below procedures provide instruction for the following:
- Configuring permissions on existing Group Policy objects
- Configuring permissions on the Group Policy objects parent folder
- Configuring the security descriptor of a default Group Policy template
Configuring Permissions on Existing Group Policy Objects
In the following procedure you will configure permissions on existing GPOs. You must be a member of the Domain Administrators group to perform this action. You must configure permissions on every domain, once per domain.
To configure permissions on existing Group Policy objects
Open the Group Policy Management Console.
In the navigation pane, expand Group Policy Objects.
For each GPO under the Group Policy Objects folder, choose the Delegation tab.
Choose Add.
In the Select User, Computer, or Group dialog box, enter SCMDMDeviceManagementServers.
Choose OK.
Configuring Permissions on the Group Policy Objects Parent Folder
In the following procedure you will configure permissions on the Group Policy objects parent folder. You must be a member of the Domain Administrators group to perform this action. You must configure permissions on every domain, once per domain.
During this process, you will need a low-level Active Directory Editor, such as Active Directory Service Interfaces (ADSI). For more information about ADSI, see Adsiedit Overview on the Microsoft TechNet Web site:
https://go.microsoft.com/fwlink/?LinkId=105659
Important
If you modify Active Directory with a low-level editor such as ADSIEdit, it may cause problems with your Active Directory structure or environment. If you modify Active Directory, it can cause serious system errors. We cannot guarantee that these errors can be resolved. Modify Active Directory at your own risk.
To configure permissions on the GPO parent folder
Start ADSIEdit.
Expand the domain in which you first ran ADConfig.
Expand CN=System.
Expand CN=Policies.
Right click on the Policies node, and then choose Security.
Choose Add.
In the Select Users, Computers, or Groups dialog box, enter SCMDMDeviceManagementServers, and then choose OK.
In Permissions for SCMDMDeviceManagementServers for the added group, select Read, and under the Allow column, choose Advanced.
In Advanced Security Settings under Permission entries, select SCMDMDeviceManagementServers, and then choose Edit.
On the Object tab under Permissions, select List Contents, Read All Properties, and Read Permissions. Choose OK, and then close all dialog boxes.
Configuring the Security Descriptor of a Default Group Policy Template
In the following procedure, you will configure permissions on the Group Policy objects parent folder. You must be a member of the Schema Administrators group to perform this action. You must configure one for each enterprise.
To configure the security descriptor of the default Group Policy template
Open Microsoft Management Console (MMC) and add the Active Directory Schema snap-in.
Expand Classes, right click on groupPolicyContainer, and then choose Properties.
Choose the Default Security tab.
Choose Add.
In the Select Users, Computers, or Groups dialog box, enter SCMDMDeviceManagementServers, and then choose OK.
In Permissions for SCMDMDeviceManagementServers for the added group, select Read, and under the Allow column, choose Advanced.
In Advanced Security Settings under Permission entries, select SCMDMDeviceManagementServers, and then choose Edit.
On the Object tab under Permissions, select List Contents, Read All Properties, and Read Permissions. Choose OK and close all dialog boxes.