Authenticated Users – Read, Apply Group Policy, Special Permissions
Creator Owner – Special Permissions
Domain Administrators – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
Enterprise Administrators – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
Enterprise Domain Controllers – Read, Special Permissions
System – Read, Write, Create All Child Objects, Delete All Child Objects, Special Permissions
It is also important to know that only the Domain Administrators, Enterprise Administrators, and Group Policy Creator Owner groups have permission to create new GPO’s be default. Any user who needs the ability to create GPO’s will need to be added to one of these groups. It is generally best practice to add these users to the Group Policy Creator Owner group so that they have fill administrative permissions over only the GPO’s they create.
***
Chris Sanders is the network administrator for one of the largest public school systems in the state of Kentucky. Chris's specialties include general network administration, windows server 2003, wireless networking, and security. You can view Chris' personal website at www.chrissanders.org.