RE: GPO for trusted root CA certs

---

• From: briandel@xxxxxxxxxxxxxxxxxxxx (Brian Delaney [MSFT])
• Date: Tue, 07 Nov 2006 18:03:11 GMT

---

Hi Michael,

The SYSVOL where GPOs are stored is protected by Access Control Lists
preventing regular users from placing new GPO in this directory. By
default only members of the Administrators group have full control over
this directory. Group Policy Creator Owners group has the ability to
create new policies but not modifying existing GPOs and not the ability to
link a policy.

So, I guess you could say that it secured in two ways. First of all you
have to have permissions to write to the SYSVOL\Policies folder to
create/modify a GPO and secondly you have to have permissions to the gplink
and gpoptions attribute at the level you wish to link the policy.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------

Date: Tue, 07 Nov 2006 14:12:39 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@xxxxxxxxxxxx>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13)

Gecko/20060417

X-Accept-Language: en-us, en
MIME-Version: 1.0
Newsgroups: microsoft.public.windows.server.security
Subject: GPO for trusted root CA certs
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <8bd624-r0a.ln1@xxxxxxxxxxxxxxxx>

HI!

I'd like to know how GPOs are protected against being forged. In my case
I'd have the task to design a GPO for trusted root CA certs which
obviously should be secured somehow.

I also read about certificate trust lists signed by the enterprise
admin. But there's off course some hen-and-egg-problem since at the end
the signature has to be validated against the root CA cert.

Thanks in advance.

Ciao, Michael.

.

---

• Follow-Ups:
  • Re: GPO for trusted root CA certs
    • From: Michael Ströder
  • Re: GPO for trusted root CA certs
    • From: Michael Ströder

• References:
  • GPO for trusted root CA certs
    • From: Michael Ströder

• Prev by Date: Encrypted Files - Access Denied
• Next by Date: Re: Setting COM Security at the parent levels
• Previous by thread: GPO for trusted root CA certs
• Next by thread: Re: GPO for trusted root CA certs
• Index(es):
  • Date
  • Thread

---

Relevant Pages Copying Certificates from the Trusted Root certs store to the Personal Store on XPsp3 ... I have successfully distributed a couple of private certificates by GPO ... GPO puts the certs into the container Computer \ Trusted Root ... DOES ANYONE HAVE A COMPREHENSIVE LIST OF CERTIFICATE STORE NAMES? ... (microsoft.public.windowsxp.security_admin) GPO & IPSEC question ... GPO Comparison ... I am looking for a tool that will compare a GPO against another GPO to see ... I wish to use certs for authentication but when I chose a CA it only lists ... What if your Root CA is offline and you want to use a sub ... (microsoft.public.windows.server.security) Certificate Server Query ... I have got a Enterprise Root Certificate server working and issuing certs to ... the workstations through GPO, but when I go to request a cert from another ... (microsoft.public.windows.server.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2006-11