Author Posts

June 17, 2016 at 5:11 pm

How can I add a User to a long list of GPOs' Restricted Users BUILTIN\Administrators node of the GPO? I searched Get-Command "*GroupPolicy*" but not seeing any cmdlet addressing this request.

June 17, 2016 at 5:59 pm

You'll need the Group Policy cmdlets installed to be able to do anything GPO related with PowerShell.

Not sure that in itself is enough to do what you are looking to do, but if you go over the cmdlets and their examples you might find that specific entry.

June 17, 2016 at 6:02 pm

Those cmdlets are in the RSAT, and their prefix is "GP." E.g...

Get-Command -noun gp*

June 17, 2016 at 7:15 pm

none of those cmdlets help with adding a User to said GPOs Restricted Groups.

PS C:\> Get-Command -noun gp*

CommandType     Name                                               Version    Source                                        
-----------     ----                                               -------    ------                                        
Alias           Get-GPPermissions                            GroupPolicy                                   
Alias           Set-GPPermissions                            GroupPolicy                                   
Cmdlet          Backup-GPO                                   GroupPolicy                                   
Cmdlet          Block-GPInheritance                          GroupPolicy                                   
Cmdlet          Copy-GPO                                     GroupPolicy                                   
Cmdlet          Get-GPInheritance                            GroupPolicy                                   
Cmdlet          Get-GPO                                      GroupPolicy                                   
Cmdlet          Get-GPOReport                                GroupPolicy                                   
Cmdlet          Get-GPPermission                             GroupPolicy                                   
Cmdlet          Get-GPPrefRegistryValue                      GroupPolicy                                   
Cmdlet          Get-GPRegistryValue                          GroupPolicy                                   
Cmdlet          Get-GPResultantSetOfPolicy                   GroupPolicy                                   
Cmdlet          Get-GPStarterGPO                             GroupPolicy                                   
Cmdlet          Import-GPO                                   GroupPolicy                                   
Cmdlet          Invoke-GPUpdate                              GroupPolicy                                   
Cmdlet          New-GPLink                                   GroupPolicy                                   
Cmdlet          New-GPO                                      GroupPolicy                                   
Cmdlet          New-GPStarterGPO                             GroupPolicy                                   
Cmdlet          Remove-GPLink                                GroupPolicy                                   
Cmdlet          Remove-GPO                                   GroupPolicy                                   
Cmdlet          Remove-GPPrefRegistryValue                   GroupPolicy                                   
Cmdlet          Remove-GPRegistryValue                       GroupPolicy                                   
Cmdlet          Rename-GPO                                   GroupPolicy                                   
Cmdlet          Restore-GPO                                  GroupPolicy                                   
Cmdlet          Set-GPInheritance                            GroupPolicy                                   
Cmdlet          Set-GPLink                                   GroupPolicy                                   
Cmdlet          Set-GPPermission                             GroupPolicy                                   
Cmdlet          Set-GPPrefRegistryValue                      GroupPolicy                                   
Cmdlet          Set-GPRegistryValue                          GroupPolicy                                   

PS C:\> get-help Set-GPPermission

Name                              Category  Module                    Synopsis                                              
----                              --------  ------                    --------                                              
Get-GPInheritance                 Cmdlet    GroupPolicy               Retrieves Group Policy inheritance information for ...
New-GPLink                        Cmdlet    GroupPolicy               Links a GPO to a site, domain, or organizational un...
New-GPO                           Cmdlet    GroupPolicy               Creates a new GPO.                                    

June 17, 2016 at 9:47 pm

Since the Group Policy cmdlets don't allow this, is there a way to leverage another set of cmdlets to do this task? I have way too many GPO's to do this manually

  • This reply was modified 2 years, 3 months ago by  Jeff Taylor.

June 17, 2016 at 10:21 pm

As you'll need to work on the INF file, this might help :

Powershell – GPO cmdlet to configure restricted groups

also try following

and the links in it, might give more info

June 20, 2016 at 10:45 pm


SDM looks promising. Have requested pricing info as it's based on # of GPO's and we have 500+ to have this operation performed against...they have written their own cmdlets to do the task:

$gpo = get-sdmgpobject -gpoName "gpo:// Demo" -openbyName $container = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Restricted Groups"); $setting = $container.Settings.AddNew("Administrators") $members = [System.Collections.ArrayList]$setting.GetEx("Members") $members.Add("CPANDL\GPO Admins") $setting.PutEx([GPOSDK.PropOp]"PROPERTY_UPDATE", "Members", $members) $setting.Save() 

Thank you...

June 21, 2016 at 5:49 pm

Yes they did, never the less you can follow Darren's reply and build something yourself.
Its a INF file manipulation with SIDs of groups/users that you can get by other means.

Not saying buying their solution is a bad thing but as you noted they based their prices on per gpo object
so id would definitely start with writing your own code and see how it works from there.

June 21, 2016 at 6:16 pm


Where is "Darren's reply"?

June 27, 2016 at 7:58 pm

thanks I see the original SDM article you posted IS "Darren's reply". I didn't realize Darren = SDM

  • This reply was modified 2 years, 2 months ago by  Jeff Taylor.