troubleshooting Question

Powershell: Run script against

Avatar of Can
Can asked on
PowershellActive Directory
4 Comments1 Solution39 ViewsLast Modified:
Hi,

I got a few hundred GPO's with double Domain Admin permissions on them. This is causing Sysvol ACL's sync issues. More info about this: https://social.technet.microsoft.com/Forums/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016

With the following script, i can check if a GPO has double or single domain admin permissions:
ICACLS "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
So this can return me this: (with one domain admin permission)
PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}            CREATOR OWNER:(OI)(CI)(IO)(F)
                                                                                    NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Desktop1$:(OI)(CI)(RX)
                                                                                    Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
Or this: (with double domain admin permissions)
PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}            CREATOR OWNER:(OI)(CI)(IO)(F)
                                                                                    NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Desktop1$:(OI)(CI)(RX)
                                                                                    Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
To solve the ACL replication issue i need to remove and readd the domain admin permission with the following script. This way it removes all Domain Admin permissions and readd's just one permission. 
    $Policies = Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*}"

    foreach ($Policy in $Policies) {
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /remove:g "<DomainName>\Domain Admins"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /grant "<DomainName>\Domain Admins:(OI)(CI)(F)"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy"
        }
This does the job but, this affects all GPO's within my domain instead of just the GPO's which have double admin rights. Is there a way with PowerShell to apply this process to just the GPO's which has double permissions?

Thanks in advance
Can

ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros