ICACLS "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
So this can return me this: (with one domain admin permission)PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F} CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Domain\Domain Admins:(OI)(CI)(F)
Domain\Desktop1$:(OI)(CI)(RX)
Domain\Enterprise Admins:(OI)(CI)(F)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
Or this: (with double domain admin permissions)PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F} CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Domain\Domain Admins:(OI)(CI)(F)
Domain\Domain Admins:(OI)(CI)(F)
Domain\Desktop1$:(OI)(CI)(RX)
Domain\Enterprise Admins:(OI)(CI)(F)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
To solve the ACL replication issue i need to remove and readd the domain admin permission with the following script. This way it removes all Domain Admin permissions and readd's just one permission. $Policies = Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*}"
foreach ($Policy in $Policies) {
icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /remove:g "<DomainName>\Domain Admins"
icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /grant "<DomainName>\Domain Admins:(OI)(CI)(F)"
icacls "C:\Windows\SYSVOL\domain\Policies\$policy"
}
This does the job but, this affects all GPO's within my domain instead of just the GPO's which have double admin rights. Is there a way with PowerShell to apply this process to just the GPO's which has double permissions? icacls "\\DC\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}"
This returns me:\\DC\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E} Domain\Domain Admins:(OI)(CI)(F)
Domain\Domain Admins:(OI)(CI)(F)
Domain\Enterprise Admins:(OI)(CI)(F)
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
As you can see there are double domain admin entry's.get-acl "\\dc\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}" | Select-Object -ExpandProperty access
get-acl "\\dc\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}" | Select-Object -ExpandProperty access
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : CREATOR OWNER
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : InheritOnly
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : Domain\Domain Admins
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
FileSystemRights : FullControl
AccessControlType : Allow
IdentityReference : Domain\Enterprise Admins
IsInherited : False
InheritanceFlags : ContainerInherit, ObjectInherit
PropagationFlags : None
Open in new window
There are *-ACL cmdlets for changing ACLs, but using them can get much more complex than with icacls.