Avatar of Can
Can
 asked on

Powershell: Run script against

Hi,

I got a few hundred GPO's with double Domain Admin permissions on them. This is causing Sysvol ACL's sync issues. More info about this: https://social.technet.microsoft.com/Forums/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016

With the following script, i can check if a GPO has double or single domain admin permissions:
ICACLS "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"

Open in new window

So this can return me this: (with one domain admin permission)
PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}            CREATOR OWNER:(OI)(CI)(IO)(F)
                                                                                    NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Desktop1$:(OI)(CI)(RX)
                                                                                    Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)

Open in new window

Or this: (with double domain admin permissions)
PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}            CREATOR OWNER:(OI)(CI)(IO)(F)
                                                                                    NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Desktop1$:(OI)(CI)(RX)
                                                                                    Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)

Open in new window

To solve the ACL replication issue i need to remove and readd the domain admin permission with the following script. This way it removes all Domain Admin permissions and readd's just one permission. 
    $Policies = Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*}"

    foreach ($Policy in $Policies) {
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /remove:g "<DomainName>\Domain Admins"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /grant "<DomainName>\Domain Admins:(OI)(CI)(F)"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy"
        }

Open in new window

This does the job but, this affects all GPO's within my domain instead of just the GPO's which have double admin rights. Is there a way with PowerShell to apply this process to just the GPO's which has double permissions?

Thanks in advance
Can

PowershellActive Directory

Avatar of undefined
Last Comment
Can

8/22/2022 - Mon
Qlemo

Indeed, I guess it is best to mix PS and icacls:
Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*} |
% {
  if (@(Get-ACL $_ | Select -Expand Access | ? { $_.IdentityReference -eq '<DomainName>Domain Admins' }).Count -gt 1)
  {
    icacls $_.FullName /remove:g '<DomainName>\Domain Admins'
    icacls $_.FullName /grant    '<DomainName>\Domain Admins:(OI)(CI)(F)'
    # icacls $_.FullName
  }
}

Open in new window

There are *-ACL cmdlets for changing ACLs, but using them can get much more complex than with icacls.
Can

ASKER
Thank you for your reply Qlemo,

I am not sure if this is gonna work with Get-ACL. The reason I'm not sure about it is that get-ACL does not show the double domain admin entry's in the GPO. ICACLS does. Here is an example.
With ICACLS:
icacls "\\DC\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}" 

Open in new window

This returns me:
\\DC\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E} Domain\Domain Admins:(OI)(CI)(F)
                                                                                      Domain\Domain Admins:(OI)(CI)(F)
                                                                                      Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                      NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
                                                                                      NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                      NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                      CREATOR OWNER:(OI)(CI)(IO)(F)

Open in new window

As you can see there are double domain admin entry's.

With Get-ACL:
get-acl "\\dc\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}" | Select-Object -ExpandProperty access

Open in new window


I get only 1 domain admin entry:
get-acl "\\dc\C$\Windows\SYSVOL\domain\Policies\{28B31314-4ADE-40B3-99A5-6059B4C4D24E}" | Select-Object -ExpandProperty access


FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : CREATOR OWNER
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : NT AUTHORITY\Authenticated Users
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT AUTHORITY\SYSTEM
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : Domain\Domain Admins
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : Domain\Enterprise Admins
IsInherited       : False
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

Open in new window


Do you think there is another way to integrate ICACLS with PowerShell?

Thank you,
Can
ASKER CERTIFIED SOLUTION
oBdA

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Can

ASKER
Thank you so much oBda! 
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck