<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Using PowerShell to Delegate GPO permissions

Published on
17,048 Points
10,848 Views
2 Endorsements
Last Modified:
Approved

Group Policy Delegation

Recently, I was tasked with delegating permissions for a specific group of administrators to a specific list of Group Policy Objects(GPO). A couple of things need to happen here for this to work.
If you want the Administrators to be able to create new Group Policy Objects, you should add them to the Group Policy Creator Owners group as it is set up by default to be able to create new certificates as seen below:
Group Policy Management console However, it may not have the necessary permissions to edit other Group Policy Objects.
This is what a typical Group Policy Object looks like.
GPO delegatesAuthenticated Users have read access, Domain Admins, Enterprise Admins, and System all have Edit settings, delete, and modify security (basically full control) for the specific Group Policy Object. If the administrators you are working with are not a member of either the Domain Admins or the Enterprise Admins group, then it is most likely that they do not have permissions to edit any Group Policy Objects that they did not create.

So, how do we fix this?


Well, you can go through each policy in the Group Policy Management console and add them manually, or, you can script it in PowerShell.

To script it in PowerShell, you will need to meet a couple of prerequisites:

1

You must use PowerShell from a Windows 2008 R2 server that is a domain controller or on a member server that has the Group Policy Management console installed, or you can run it from Windows 7 with the Remote Server Administration Tools installed.

2

You have to import the Group Policy Module using the Import-Module cmdlet before you can use any of the Group Policy cmdlets.
The cmdlet looks as follows:
Import-Module GroupPolicy

Open in new window

If you add the -Verbose switch to the command, you should see a list of all of the cmdlets available in that module.

Now the fun part.

If you are going to be granting rights to several administrators on the same Group Policy Objects, it is best if you create a security group, put all of the administrators in this group, and then assign the group the permissions. For the sake of this discussion, we will be using the following:
A security group called GPOAdministrators
We will be giving the highest level of access on the GPOs (edit, delete, modify security)
We will be applying the permissions on every GPO that start with "china"

I typically like to assign non-changing values to a variable first, just to make my code cleaner. We know the group name and the security level so lets set them to some variables that we can use in the code:
$grp = "GPOAdministrators"
$level = "GpoEditDeleteModifySecurity"

Open in new window

Next, we will grab all Group Policy Objects that start with "china":
$gpos = get-gpo -All | where {$_.DisplayName -like "china*"}

Open in new window

Now that we have a complete list of GPOs that start with "china", we can go into each and set the permissions. To do this, we will go through each item in the array ($gpos) and grab the name of each GPO, and then use the set-GPPermissions cmdlet to give the security group rights on each:
foreach ($gpo in $gpos)
{
	$gpname = $gpo.DisplayName	
	set-GPPermissions -Name $gpname -permissionlevel $level -TargetName $grp -targettype Group

}

Open in new window

PowerShell will now process each GPO as appropriate. The full script looks as follows:
Import-Module GroupPolicy
$grp = "GPOAdministrators"
$level = "GpoEditDeleteModifySecurity"
$gpos = get-gpo -All | where {$_.DisplayName -like "china*"}
foreach ($gpo in $gpos)
{
	$gpname = $gpo.DisplayName	
	set-GPPermissions -Name $gpname -permissionlevel $level -TargetName $grp -targettype Group

}

Open in new window


That should take care of it for you. If you want to learn more about the other Group Policy cmdlets, you can simply do get-help in PowerShell. For instance, to see a detailed help about the set-GPPermissions, you would type the following:
get-help set-GPPermissions -full

Open in new window

2
Comment
Author:GusGallows
0 Comments

Featured Post

Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Join & Write a Comment

Loops Section Overview
Screencast - Getting to Know the Pipeline

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month