This topic contains 9 replies, has 3 voices, and was last updated by
June 17, 2016 at 5:11 pm #43732
How can I add a User to a long list of GPOs' Restricted Users BUILTIN\Administrators node of the GPO? I searched Get-Command "*GroupPolicy*" but not seeing any cmdlet addressing this request.
June 17, 2016 at 5:59 pm #43738
You'll need the Group Policy cmdlets installed to be able to do anything GPO related with PowerShell.
Not sure that in itself is enough to do what you are looking to do, but if you go over the cmdlets and their examples you might find that specific entry.
June 17, 2016 at 9:47 pm #43795
Since the Group Policy cmdlets don't allow this, is there a way to leverage another set of cmdlets to do this task? I have way too many GPO's to do this manually
June 17, 2016 at 6:02 pm #43740KeymasterPoints: 1,704Rank: Community Hero
Those cmdlets are in the RSAT, and their prefix is "GP." E.g...
Get-Command -noun gp*
June 17, 2016 at 7:15 pm #43772
none of those cmdlets help with adding a User to said GPOs Restricted Groups.
PS C:\> Get-Command -noun gp* CommandType Name Version Source ----------- ---- ------- ------ Alias Get-GPPermissions 220.127.116.11 GroupPolicy Alias Set-GPPermissions 18.104.22.168 GroupPolicy Cmdlet Backup-GPO 22.214.171.124 GroupPolicy Cmdlet Block-GPInheritance 126.96.36.199 GroupPolicy Cmdlet Copy-GPO 188.8.131.52 GroupPolicy Cmdlet Get-GPInheritance 184.108.40.206 GroupPolicy Cmdlet Get-GPO 220.127.116.11 GroupPolicy Cmdlet Get-GPOReport 18.104.22.168 GroupPolicy Cmdlet Get-GPPermission 22.214.171.124 GroupPolicy Cmdlet Get-GPPrefRegistryValue 126.96.36.199 GroupPolicy Cmdlet Get-GPRegistryValue 188.8.131.52 GroupPolicy Cmdlet Get-GPResultantSetOfPolicy 184.108.40.206 GroupPolicy Cmdlet Get-GPStarterGPO 220.127.116.11 GroupPolicy Cmdlet Import-GPO 18.104.22.168 GroupPolicy Cmdlet Invoke-GPUpdate 22.214.171.124 GroupPolicy Cmdlet New-GPLink 126.96.36.199 GroupPolicy Cmdlet New-GPO 188.8.131.52 GroupPolicy Cmdlet New-GPStarterGPO 184.108.40.206 GroupPolicy Cmdlet Remove-GPLink 220.127.116.11 GroupPolicy Cmdlet Remove-GPO 18.104.22.168 GroupPolicy Cmdlet Remove-GPPrefRegistryValue 22.214.171.124 GroupPolicy Cmdlet Remove-GPRegistryValue 126.96.36.199 GroupPolicy Cmdlet Rename-GPO 188.8.131.52 GroupPolicy Cmdlet Restore-GPO 184.108.40.206 GroupPolicy Cmdlet Set-GPInheritance 220.127.116.11 GroupPolicy Cmdlet Set-GPLink 18.104.22.168 GroupPolicy Cmdlet Set-GPPermission 22.214.171.124 GroupPolicy Cmdlet Set-GPPrefRegistryValue 126.96.36.199 GroupPolicy Cmdlet Set-GPRegistryValue 188.8.131.52 GroupPolicy PS C:\> get-help Set-GPPermission Name Category Module Synopsis ---- -------- ------ -------- Get-GPInheritance Cmdlet GroupPolicy Retrieves Group Policy inheritance information for ... New-GPLink Cmdlet GroupPolicy Links a GPO to a site, domain, or organizational un... New-GPO Cmdlet GroupPolicy Creates a new GPO.
June 17, 2016 at 10:21 pm #43798
As you'll need to work on the INF file, this might help :
also try following
and the links in it, might give more info
June 20, 2016 at 10:45 pm #44085
SDM looks promising. Have requested pricing info as it's based on # of GPO's and we have 500+ to have this operation performed against...they have written their own cmdlets to do the task:
$gpo = get-sdmgpobject -gpoName "gpo://cpandl.com/GPAE Demo" -openbyName $container = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Restricted Groups"); $setting = $container.Settings.AddNew("Administrators") $members = [System.Collections.ArrayList]$setting.GetEx("Members") $members.Add("CPANDL\GPO Admins") $setting.PutEx([GPOSDK.PropOp]"PROPERTY_UPDATE", "Members", $members) $setting.Save()
June 21, 2016 at 5:49 pm #44193
Yes they did, never the less you can follow Darren's reply and build something yourself.
Its a INF file manipulation with SIDs of groups/users that you can get by other means.
Not saying buying their solution is a bad thing but as you noted they based their prices on per gpo object
so id would definitely start with writing your own code and see how it works from there.
The topic ‘How can I add User to GPO Restricted Groups?’ is closed to new replies.