We help IT Professionals succeed at work.
Get Started
Troubleshooting Question

Powershell: Run script against

Can
Can asked
on
35 Views
Last Modified: 2020-12-03
Hi,

I got a few hundred GPO's with double Domain Admin permissions on them. This is causing Sysvol ACL's sync issues. More info about this: https://social.technet.microsoft.com/Forums/en-US/f16b0af1-8772-4f96-a9ac-fac47943e8e9/sysvol-permissions-for-one-or-more-gpo-are-not-in-sync?forum=ws2016

With the following script, i can check if a GPO has double or single domain admin permissions:
ICACLS "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
So this can return me this: (with one domain admin permission)
PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}            CREATOR OWNER:(OI)(CI)(IO)(F)
                                                                                    NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Desktop1$:(OI)(CI)(RX)
                                                                                    Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
Or this: (with double domain admin permissions)
PS C:\> icacls "\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}"
\\DC\SYSVOL\Domain.Local\Policies\{A70B12C9-D1D9-4B59-BB3D-A83D19E9C78F}            CREATOR OWNER:(OI)(CI)(IO)(F)
                                                                                    NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)
                                                                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Domain Admins:(OI)(CI)(F)
                                                                                    Domain\Desktop1$:(OI)(CI)(RX)
                                                                                    Domain\Enterprise Admins:(OI)(CI)(F)
                                                                                    NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:(OI)(CI)(RX)
To solve the ACL replication issue i need to remove and readd the domain admin permission with the following script. This way it removes all Domain Admin permissions and readd's just one permission. 
    $Policies = Get-ChildItem C:\Windows\SYSVOL\domain\Policies -Name -Filter "{*}"

    foreach ($Policy in $Policies) {
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /remove:g "<DomainName>\Domain Admins"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy" /grant "<DomainName>\Domain Admins:(OI)(CI)(F)"
        icacls "C:\Windows\SYSVOL\domain\Policies\$policy"
        }
This does the job but, this affects all GPO's within my domain instead of just the GPO's which have double admin rights. Is there a way with PowerShell to apply this process to just the GPO's which has double permissions?

Thanks in advance
Can

Comment
Watch Question
CERTIFIED EXPERT
Most Valuable Expert 2019
Most Valuable Expert 2018
Commented:
This problem has been solved!
Unlock 1 Answer and 4 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant

An Experts Exchange subscription includes unlimited access to online courses.

Get Started
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE