This topic contains 9 replies, has 3 voices, and was last updated by
June 17, 2016 at 5:11 pm #43732
How can I add a User to a long list of GPOs' Restricted Users BUILTIN\Administrators node of the GPO? I searched Get-Command "*GroupPolicy*" but not seeing any cmdlet addressing this request.
June 17, 2016 at 5:59 pm #43738
You'll need the Group Policy cmdlets installed to be able to do anything GPO related with PowerShell.
Not sure that in itself is enough to do what you are looking to do, but if you go over the cmdlets and their examples you might find that specific entry.
June 17, 2016 at 9:47 pm #43795
Since the Group Policy cmdlets don't allow this, is there a way to leverage another set of cmdlets to do this task? I have way too many GPO's to do this manually
June 17, 2016 at 6:02 pm #43740KeymasterPoints: 1,811Rank: Community Hero
Those cmdlets are in the RSAT, and their prefix is "GP." E.g...
Get-Command -noun gp*
June 17, 2016 at 7:15 pm #43772
none of those cmdlets help with adding a User to said GPOs Restricted Groups.
PS C:\> Get-Command -noun gp* CommandType Name Version Source ----------- ---- ------- ------ Alias Get-GPPermissions 18.104.22.168 GroupPolicy Alias Set-GPPermissions 22.214.171.124 GroupPolicy Cmdlet Backup-GPO 126.96.36.199 GroupPolicy Cmdlet Block-GPInheritance 188.8.131.52 GroupPolicy Cmdlet Copy-GPO 184.108.40.206 GroupPolicy Cmdlet Get-GPInheritance 220.127.116.11 GroupPolicy Cmdlet Get-GPO 18.104.22.168 GroupPolicy Cmdlet Get-GPOReport 22.214.171.124 GroupPolicy Cmdlet Get-GPPermission 126.96.36.199 GroupPolicy Cmdlet Get-GPPrefRegistryValue 188.8.131.52 GroupPolicy Cmdlet Get-GPRegistryValue 184.108.40.206 GroupPolicy Cmdlet Get-GPResultantSetOfPolicy 220.127.116.11 GroupPolicy Cmdlet Get-GPStarterGPO 18.104.22.168 GroupPolicy Cmdlet Import-GPO 22.214.171.124 GroupPolicy Cmdlet Invoke-GPUpdate 126.96.36.199 GroupPolicy Cmdlet New-GPLink 188.8.131.52 GroupPolicy Cmdlet New-GPO 184.108.40.206 GroupPolicy Cmdlet New-GPStarterGPO 220.127.116.11 GroupPolicy Cmdlet Remove-GPLink 18.104.22.168 GroupPolicy Cmdlet Remove-GPO 22.214.171.124 GroupPolicy Cmdlet Remove-GPPrefRegistryValue 126.96.36.199 GroupPolicy Cmdlet Remove-GPRegistryValue 188.8.131.52 GroupPolicy Cmdlet Rename-GPO 184.108.40.206 GroupPolicy Cmdlet Restore-GPO 220.127.116.11 GroupPolicy Cmdlet Set-GPInheritance 18.104.22.168 GroupPolicy Cmdlet Set-GPLink 22.214.171.124 GroupPolicy Cmdlet Set-GPPermission 126.96.36.199 GroupPolicy Cmdlet Set-GPPrefRegistryValue 188.8.131.52 GroupPolicy Cmdlet Set-GPRegistryValue 184.108.40.206 GroupPolicy PS C:\> get-help Set-GPPermission Name Category Module Synopsis ---- -------- ------ -------- Get-GPInheritance Cmdlet GroupPolicy Retrieves Group Policy inheritance information for ... New-GPLink Cmdlet GroupPolicy Links a GPO to a site, domain, or organizational un... New-GPO Cmdlet GroupPolicy Creates a new GPO.
June 17, 2016 at 10:21 pm #43798
As you'll need to work on the INF file, this might help :
also try following
and the links in it, might give more info
June 20, 2016 at 10:45 pm #44085
SDM looks promising. Have requested pricing info as it's based on # of GPO's and we have 500+ to have this operation performed against...they have written their own cmdlets to do the task:
$gpo = get-sdmgpobject -gpoName "gpo://cpandl.com/GPAE Demo" -openbyName $container = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Restricted Groups"); $setting = $container.Settings.AddNew("Administrators") $members = [System.Collections.ArrayList]$setting.GetEx("Members") $members.Add("CPANDL\GPO Admins") $setting.PutEx([GPOSDK.PropOp]"PROPERTY_UPDATE", "Members", $members) $setting.Save()
June 21, 2016 at 5:49 pm #44193
Yes they did, never the less you can follow Darren's reply and build something yourself.
Its a INF file manipulation with SIDs of groups/users that you can get by other means.
Not saying buying their solution is a bad thing but as you noted they based their prices on per gpo object
so id would definitely start with writing your own code and see how it works from there.
The topic ‘How can I add User to GPO Restricted Groups?’ is closed to new replies.