Friday, 22 October 2010

Modifying security settings of GPO directly through SYSVOL

Occasionally you may need to remove some of the security settings applied to a GPO directly.
In this case, navigate to the policy folder in SYSVOL.
Then, inside the policy folder, choose Machine - Microsoft - Windows NT - Secedit and open up the GptTmpl.inf file.
So, for example, to remove all settings associated with services, delete the lines from [Service General Setting] to the end of the last service line.
Saving this file and then opening GPMC (ensuring that the GPMC console is pointing at the same DC that you made the edit on), you'll see that all system service settings have been removed.

When is this useful? Well, if you mess around with the service security settings and decide that you no longer want to touch security of the services through the GPO, it is pretty much impossible to reset to the default permissions without actually explicitly setting the default permissions on the service, at which point you're still controlling access permissions within the GPO.

1 comment:

  1. Note that GPOs can be copied across forests using the guidance here: