We help IT Professionals succeed at work.
Get Started
Troubleshooting Question
Powershell: Run script against
Hi,
I got a few hundred GPO's with double Domain Admin permissions on them. This is causing Sysvol ACL's sync issues. More info about this: https://social.technet.microsoft.com/Forums/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016
With the following script, i can check if a GPO has double or single domain admin permissions:
Thanks in advance
Can
I got a few hundred GPO's with double Domain Admin permissions on them. This is causing Sysvol ACL's sync issues. More info about this: https://social.technet.microsoft.com/Forums/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016
With the following script, i can check if a GPO has double or single domain admin permissions:
ICACLS "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"So this can return me this: (with one domain admin permission)PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F} CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Domain\Domain Admins:(OI)(CI)(F)
Domain\Desktop1$:(OI)(CI)(RX)
Domain\Enterprise Admins:(OI)(CI)(F)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)Or this: (with double domain admin permissions)PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F} CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Domain\Domain Admins:(OI)(CI)(F)
Domain\Domain Admins:(OI)(CI)(F)
Domain\Desktop1$:(OI)(CI)(RX)
Domain\Enterprise Admins:(OI)(CI)(F)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)To solve the ACL replication issue i need to remove and readd the domain admin permission with the following script. This way it removes all Domain Admin permissions and readd's just one permission. $Policies = Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*}"
foreach ($Policy in $Policies) {
icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /remove:g "<DomainName>\Domain Admins"
icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /grant "<DomainName>\Domain Admins:(OI)(CI)(F)"
icacls "C:\Windows\SYSVOL\domain\Policies\$policy"
}This does the job but, this affects all GPO's within my domain instead of just the GPO's which have double admin rights. Is there a way with PowerShell to apply this process to just the GPO's which has double permissions? Thanks in advance
Can
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE