I highly recommend assigning two Active Directory security groups to every new group policy object; one group granting read access, and the other group granting modify access. These groups can be assigned automatically by modifying the security descriptor applied to all new group policies.
To grant the gp-read group read access, and the gp-modify group modify access to all new group policy objects, perform the following steps from an elevated command prompt on a system with the Active Directory PowerShell module installed.
Note: You must be a member of the Schema Admins group to perform this task.
Ideally the process would be performed prior to creating any group policy objects.
# Get NetBIOS domain name.
$domain = Get-ADDomain
# Get SID of "gp-read".
$reader = New-Object System.Security.Principal.NTAccount($domain.NetBIOSName, "gp-read")
$reader = $reader.Translate([System.Security.Principal.SecurityIdentifier]).value
# Get SID of "gp-modify".
$modifier = New-Object System.Security.Principal.NTAccount($domain.NetBIOSName, "gp-modify")
$modifier = $modifier.Translate([System.Security.Principal.SecurityIdentifier]).value
# Get existing security descriptor for group policy container from schema partition in Active Directory.
$descriptor = ($container = Get-ADObject "CN=Group-Policy-Container,CN=Schema,CN=Configuration,$($domain.DistinguishedName)" -Properties defaultSecurityDescriptor). defaultSecurityDescriptor
# Set the access control entry for the *gp-read* group.
$read = "(A;CI;LCRPLORC;;;$reader)"
# Set the access control entry for the *gp-modify* group.
$modify = "(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;$modifier)"
# Concatenate the access control entries with the existing security descriptor.
$container | Set-ADObject -Replace @{defaultSecurityDescriptor = "$descriptor$read$modify";} -Server $domain.PDCEmulator
Let's break down the permissions (LCRPLORC) assigned to the gp-read group:
- LC: List children
- RP: Read property
- LO: List object
- RC: Read control
And the permissions (RPWPCCDCLCLORCWOWDSDDTSW) assigned to the gp-modify group:
- RP: Read property
- WP: Write property
- CC: Create child
- DC: Delete child
- LC: List children
- LO: List object
- RC: Read control
- WO: Write owner
- WD: Write DAC
- SD: Standard delete
- DT: Delete tree
- SF: Self write
Refer to this article for more information on the format of an access control entry within a security descriptor.