Link to home
Start Free TrialLog in
Avatar of Can
Can

asked on

Powershell: Run script against

Hi,

I got a few hundred GPO's with double Domain Admin permissions on them. This is causing Sysvol ACL's sync issues. More info about this: https://social.technet.microsoft.com/Forums/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016

With the following script, i can check if a GPO has double or single domain admin permissions:
ICACLS "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"

Open in new window

So this can return me this: (with one domain admin permission)
PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}            CREATOR OWNER:(OI)(CI)(IO)(F)
                                                                                    NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Desktop1$:(OI)(CI)(RX)
                                                                                    Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)

Open in new window

Or this: (with double domain admin permissions)
PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}            CREATOR OWNER:(OI)(CI)(IO)(F)
                                                                                    NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Desktop1$:(OI)(CI)(RX)
                                                                                    Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)

Open in new window

To solve the ACL replication issue i need to remove and readd the domain admin permission with the following script. This way it removes all Domain Admin permissions and readd's just one permission. 
    $Policies = Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*}"

    foreach ($Policy in $Policies) {
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /remove:g "<DomainName>\Domain Admins"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /grant "<DomainName>\Domain Admins:(OI)(CI)(F)"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy"
        }

Open in new window

This does the job but, this affects all GPO's within my domain instead of just the GPO's which have double admin rights. Is there a way with PowerShell to apply this process to just the GPO's which has double permissions?

Thanks in advance
Can

Avatar of Qlemo
Qlemo
Flag of Germany image

Indeed, I guess it is best to mix PS and icacls:
Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*} |
% {
  if (@(Get-ACL $_ | Select -Expand Access | ? { $_.IdentityReference -eq '<DomainName>Domain Admins' }).Count -gt 1)
  {
    icacls $_.FullName /remove:g '<DomainName>\Domain Admins'
    icacls $_.FullName /grant    '<DomainName>\Domain Admins:(OI)(CI)(F)'
    # icacls $_.FullName
  }
}

Open in new window

There are *-ACL cmdlets for changing ACLs, but using them can get much more complex than with icacls.
Avatar of Can
Can

ASKER

Thank you for your reply Qlemo,

I am not sure if this is gonna work with Get-ACL. The reason I'm not sure about it is that get-ACL does not show the double domain admin entry's in the GPO. ICACLS does. Here is an example.
With ICACLS:
icacls "\\DC\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}" 

Open in new window

This returns me:
\\DC\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E} Domain\Domain Admins:(OI)(CI)(F)
                                                                                      Domain\Domain Admins:(OI)(CI)(F)
                                                                                      Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                      NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
                                                                                      NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                      NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                      CREATOR OWNER:(OI)(CI)(IO)(F)

Open in new window

As you can see there are double domain admin entry's.

With Get-ACL:
get-acl "\\dc\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}" | Select-Object -ExpandProperty access

Open in new window


I get only 1 domain admin entry:
get-acl "\\dc\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}" | Select-Object -ExpandProperty access


FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : CREATOR OWNER
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : Domain\Domain Admins
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : Domain\Enterprise Admins
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Open in new window


Do you think there is another way to integrate ICACLS with PowerShell?

Thank you,
Can
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Can

ASKER

Thank you so much oBda!