Hello,
I understand when a GPO is created, by default the Authenticated Users group is given Read and Apply Group Policy permissions to this GPO. This allows any member of the domain to read the settings in a GPO.
In our shop, when GPOs are implemented, they are intended for only a specific 'subset' of individuals. In this case, the Authenticated Users group is removed from the GPO's DACL (ie. Security Filtering) and replaced with a group which contains the Users the GPO should apply to.
What happens here is some folks which need to veiw the settings of the GPO to troubleshoot, etc. can't view the settings cause they are not members of the group and the Authenticated Users group was removed from the DACL.
What is the best way to assign a group of folks Read permissions to all GPOs in the domain when some GPOs have a modified DACL and omit Authenticated Users?
Thanks for your help! SdeDot