You can use the following process to modify the DefaultSecurityDescriptor attribute for the Group Policy Container classSchema object. Note that because this is a schema change, it starts a full replication for all GCs across the forest. Schema permissions are written by using the Security Descriptor Definition Language (SDDL). For more information about SDDL, visit the following Microsoft Web site:
DefaultSecurityDescriptor attribute for the Group Policy Container classSchema object:
- Log on to the forest schema master domain controller with an account that is a member of the Schema Administrators group.
- Start Mmc.exe, and then add the Schema snap-in.
- Right-click Active Directory Schema, and then click Operations Master.
- Click The Schema may be modified on this domain controller, and then click OK.
- Use ADSI Editor to open the schema-naming context, and then locate the CN=Group-Policy-Container object with the classSchema type.
- View the properties of the object, and then find the defaultSecurityDescriptor attribute.
- Paste the following string into the value to remove write permissions for domain administrators so that only enterprise administrators would have write permissions:D:P(A;CI;RPLCLOLORC;;;DA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)To give an additional group write permissions, append the following text to the end of the previous text:(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;Group_SID)Note that Group_SID is the SID of the group to which you are granting permissions.
Note For Windows Server 2003, paste the follow string in the defaultSecurityDescriptor attribute:D:P(A;CI;RPLCLOLORC;;;DA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;EA)(A;CI;RPWPCCDCLCLOLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)
Note Changing thedefaultSecurityDescriptor attribute does not modify the security descriptors for any pre-existing GPOs. You may, however, use the above complete string to replace the ACL on pre-existing GPOs in conjunction with a tool such as sdutil.exe.
- Paste the new string into the edit attribute box, click Set, click Apply, and then click OK.
Technical support for x64-based versions of Microsoft WindowsYour hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.
For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site:
Article ID: 321476 - Last Review: May 25, 2012 - Revision: 1