Implementing the Security Policy Admins Role

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Use the following procedure to implement the security policy admins role.

To implement the one required instance of the Security Policy Admins role

  1. Create a Universal Group called <Forest-Name> Security Policy Admins in the Service Management OU (ou=Service Management, dc=<Forest Root Domain>).

    Note

    If Universal groups are not available, create a Global Security group.

  2. Use the Group Policy Management Console to modify the following permissions on the default Domain Policy object:

    1. Grant the <Forest-Name> Security Policy Admins Edit permissions

    2. Revoke Edit permissions from all other security principals

      Note

      To download GPMC, see the Microsoft Download Center at https://www.microsoft.com/downloads/details.aspx?familyid=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en. GPMC simplifies the management of Group Policy by making it easier to understand, deploy, manage, and troubleshoot Group Policy implementations. GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains.

  3. Use the Group Policy Management Console to modify the following permissions on the default Domain Controllers Policy object:

    1. Grant the <Forest-Name> Security Policy Admins Edit permissions

    2. Revoke Edit permissions from all other security principals

      Note

      Note that revoking Edit permissions for all other security principals only the <Forest> Security Policy Admins can edit these Group Policy settings based on current permissions. Any user or group who owns these security policies or has modify security permissions can grant themselves the ability to edit these settings. Thus, , revoking Edit permissions for all other security principals does not grant the <Forest> Security Policy Admins exclusive ability to modify these settings from a strict security perspective. Thus the <Forest> Security Policy Admins are not the only ones who can modify these settings. An organization should establish business policies that specify that any changes to the default Domain and default Domain Controller policies across all domains should be made only by the <Forest> Security Policy Admins. The purpose of introducing and enabling this role is to make service management more tractable and increase accountability.