Get and set granular GPO permissions

Welcome Forums General PowerShell Q&A Get and set granular GPO permissions

Viewing 1 reply thread
  • Author
    Posts
    • #72377
      Participant
      Topics: 2
      Replies: 5
      Points: 0
      Rank: Member

      Hello all.

      We are attempting to write a script to set permissions on a large set of GPO. The trouble we are having is all of the methods we have found online do not allow setting custom or special permissions. The below are methods we have used so far that are not producing the results we need.

      Method 1 – XML Report

      $xmlReport = $gpo.GenerateReport('xml')

      This command only returns the name of the trustee. Also includes some properties that I am uncertain if pertinent.

      Method 2 – ADSI/LDAP object

      $GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])

      This method returns the group and the permissions but not in a granular fashion. "FileSystemRights" returned are "FullControl" for ACLs that I know are considered custom/special with granular permissions.

      Method 3 – Get-GPPermission

      Get-GPPermission $gpoWithAppSpec -all | select -ExpandProperty permission

      Returns permissions similar to those available to Set-GPPermission such as "GpoApply", "GpoEditDeleteModifySecurity", "GpoRead". Again, these are not granular permissions.

    • #72404
      Keymaster
      Topics: 13
      Replies: 4872
      Points: 1,844
      Helping HandTeam Member
      Rank: Community Hero

      To my knowledge, there's no public API for doing this. You might, however, pop over to GPOGuy.com and ask there – Darren's da man with this stuff.

      • #72437
        Participant
        Topics: 2
        Replies: 5
        Points: 0
        Rank: Member

        Great site. Found a post that looks very promising (albeit a little hacky). Thanks!

Viewing 1 reply thread
  • The topic ‘Get and set granular GPO permissions’ is closed to new replies.