Default permissions
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Default permissions
The following table describes the default permissions on Group Policy objects.
| Security group | Default settings |
|---|---|
Authenticated users |
Read, Apply Group Policy (AGP) |
Local system |
Full Control (includes AGP) |
Domain administrators |
Read, Write, Create Child, Delete Child, AGP |
Administrators |
Read, Write, Create Child, AGP |
Group Policy Creator Owners |
Read, Write, AGP |
By default, the Group Policy object Default Domain Policy cannot be deleted by any administrator. The purpose of this restriction is to prevent the accidental deletion of this Group Policy object, which contains important and required settings for the domain. If Default Domain Policy must be deleted for some reason, the Delete permission must be given explicitly to the intended group. This is an advanced access control entry (ACE) on the Group Policy object. For more information, see Set permissions for Group Policy Software Installation.