I think so. I've done it on several occasions and not run into issues. It's only slightly different than changing security filtering in GPMC.msc. Both affect the actual ACL on the policies folder in sysvol and you can see this reflected in the Delegation tab. The difference is security filtering just changes who has the Apply Group Policy permission. Authenticated Users still have read. If Authenticated Users don't have read to a policy, they hit an access denied when enumerating the GPOs, but it fails gracefully and moves on.
If it makes it more palatable, you can change the perms under the Delegations tab instead of directly on the policy folder. -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Friday, January 06, 2012 4:39 PM To: NT System Admin Issues Subject: Re: GPO reset of local non-builtin accounts On Fri, Jan 6, 2012 at 5:08 PM, Crawford, Scott <[email protected]> wrote: > One thing that might be satisfactory is to restrict access on the GPO > to Domain Computers (or some subset) instead of Authenticated Users or > Domain Users. Is that, for lack of a better word, "safe"? In other words, is it likely to cause anything else to break? Some MSKB articles give one the impression that SYSVOL will explode if you so much as give it a dirty look; I don't know how much of that is CYA and how much is "really, we mean it, don't screw with this". (E.g., they say that about the registry, too, and as long as you keep your changes limited, you're fine. But they also said that about the "M: drive" in Exchange 2000, and they weren't exaggerating then.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
