Re: ACL on GPO link
- From: "Darren Mar-Elia" <dmanonymous@xxxxxxxxxxxxx>
- Date: Wed, 2 Apr 2008 21:41:16 -0700
To take it a step further from what Mark has said, if, for example, an administrator was not domain admin equivalent and could not take ownership of any AD object and change its permissions, you could prevent them from the writing the gpLink attribute on the domain NC head. That would effectively prevent them from unlinking your GPO. But, because of the way links are stored, they would also not be able to add any new links to the domain, nor remove other GPO links. The gpLink attribute is monolithic in that each link is stored in a concatenated list of GPO Guids (along with a flag). Thus being able to write the gpLink attribute means you can link or unlink any GPO from that container and not being able to write to it means...that you can't!
hope that helps.
Darren
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
*******************************
Secure and configure your Windows desktops accurately every time without having to learn or install new technology.
Find out more about Desktop Policy Manager at http://www.sdmsoftware.com/desktop_management
*******************************
"Mark Heitbrink [MVP]" <spam-only@xxxxxxxxxxxxxxxxxxxxx> wrote in message news:efeI1rOlIHA.5820@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Johni schrieb:Somebody who has the rights to manage links car delete my GPO link and
then put a link with his own GPO, with different policies.
... but only if he has the right to write/change files inside SYSVOL and
objects inside cn=policies,cn=system,dc=yourdom,dc=dom
That means: He es a Admin. And if he is a Admin, you can not deny ANYTHING!
A person who can manage links everywhere is aswell an admin ...
Creation and Linking are two seperate roles, because they appear at
different objects.
If someone is permitted to link, he has at least the right of modify
the "gpLink" Attribute on a Site, Domain or OU, which can be delegated.
But if he is permitted to link, he is not allowed to create a OU, he only
can link a existing one.
If someone is allowed to create a GPO, he does not nessesarly has the
right to link this object on every OU.
If someone is "unlinking" your GPO and replacing it, then you do not have
a problem that can be catched by security options, it only can be handled
by his employee contract. If he is reverting settings a Doman Admin has
set, than this usually happens only once. The secound time he is no longer
an employee ... easy and functional. So, no Problem at all.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
.
- Follow-Ups:
- Re: ACL on GPO link
- From: Johni
- Re: ACL on GPO link
- References:
- ACL on GPO link
- From: Johni
- Re: ACL on GPO link
- From: Mark Heitbrink [MVP]
- Re: ACL on GPO link
- From: Johni
- Re: ACL on GPO link
- From: Mark Heitbrink [MVP]
- ACL on GPO link
- Prev by Date: Adding Vista Network Locations (Web Folders) via Group Policy
- Next by Date: disable printer mapping for TS clients
- Previous by thread: Re: ACL on GPO link
- Next by thread: Re: ACL on GPO link
- Index(es):
Relevant Pages
|
