Permissions for group policy in multi-tenant environment?

what exact permissions have applied ou computer object group policies?

basically when remove authenticated users rights ou computer in can't gpo. i'm trying lock down environment using ad list object mode (which enabled) not finding comptuer objects (i see tons of stuff user objects).

basically layout:

- hosting
--> reseller
---> company a
-----> computers
-----> users
---> company b

and on...

under each computer created allusers group has read access company ou's , child ou's. pretty security group layout:

- hosting (gpoaccess@hosting)
-- reseller (gpoaccess@reseller1) [member of gpoaccess@hosting]
--- company (allusers@company) [member of gpoaccess@reseller1]

then gpoaccess has list object permissions , such on appropriate ou's.

however.. do computer objects?

here picture of cc ou complaining having access. 2 on top of picture showing memberships , bottom permissions of cc

try with:
read properties;list gplink

• read properties;list gpoptions
• read properties;list distinguishedname
• list

---

enfo zipper
christoffer andersson – principal advisor
http://blogs.chrisse.se - directory services blog

Windows Server  >  Directory Services