How can I add User to GPO Restricted Groups?

Welcome Forums General PowerShell Q&A How can I add User to GPO Restricted Groups?

This topic contains 9 replies, has 3 voices, and was last updated by

 
Participant
2 years, 5 months ago.

  • Author
    Posts
  • #43732

    Participant
    Points: 71
    Rank: Member

    How can I add a User to a long list of GPOs' Restricted Users BUILTIN\Administrators node of the GPO? I searched Get-Command "*GroupPolicy*" but not seeing any cmdlet addressing this request.

  • #43738

    Participant
    Points: -19
    Rank: Member

    You'll need the Group Policy cmdlets installed to be able to do anything GPO related with PowerShell.

    https://technet.microsoft.com/en-us/library/ee461027.aspx

    Not sure that in itself is enough to do what you are looking to do, but if you go over the cmdlets and their examples you might find that specific entry.

    • #43795

      Participant
      Points: 71
      Rank: Member

      Since the Group Policy cmdlets don't allow this, is there a way to leverage another set of cmdlets to do this task? I have way too many GPO's to do this manually

  • #43740

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    Those cmdlets are in the RSAT, and their prefix is "GP." E.g...

    Get-Command -noun gp*

  • #43772

    Participant
    Points: 71
    Rank: Member

    none of those cmdlets help with adding a User to said GPOs Restricted Groups.

    PS C:\> Get-Command -noun gp*
    
    CommandType     Name                                               Version    Source                                        
    -----------     ----                                               -------    ------                                        
    Alias           Get-GPPermissions                                  1.0.0.0    GroupPolicy                                   
    Alias           Set-GPPermissions                                  1.0.0.0    GroupPolicy                                   
    Cmdlet          Backup-GPO                                         1.0.0.0    GroupPolicy                                   
    Cmdlet          Block-GPInheritance                                1.0.0.0    GroupPolicy                                   
    Cmdlet          Copy-GPO                                           1.0.0.0    GroupPolicy                                   
    Cmdlet          Get-GPInheritance                                  1.0.0.0    GroupPolicy                                   
    Cmdlet          Get-GPO                                            1.0.0.0    GroupPolicy                                   
    Cmdlet          Get-GPOReport                                      1.0.0.0    GroupPolicy                                   
    Cmdlet          Get-GPPermission                                   1.0.0.0    GroupPolicy                                   
    Cmdlet          Get-GPPrefRegistryValue                            1.0.0.0    GroupPolicy                                   
    Cmdlet          Get-GPRegistryValue                                1.0.0.0    GroupPolicy                                   
    Cmdlet          Get-GPResultantSetOfPolicy                         1.0.0.0    GroupPolicy                                   
    Cmdlet          Get-GPStarterGPO                                   1.0.0.0    GroupPolicy                                   
    Cmdlet          Import-GPO                                         1.0.0.0    GroupPolicy                                   
    Cmdlet          Invoke-GPUpdate                                    1.0.0.0    GroupPolicy                                   
    Cmdlet          New-GPLink                                         1.0.0.0    GroupPolicy                                   
    Cmdlet          New-GPO                                            1.0.0.0    GroupPolicy                                   
    Cmdlet          New-GPStarterGPO                                   1.0.0.0    GroupPolicy                                   
    Cmdlet          Remove-GPLink                                      1.0.0.0    GroupPolicy                                   
    Cmdlet          Remove-GPO                                         1.0.0.0    GroupPolicy                                   
    Cmdlet          Remove-GPPrefRegistryValue                         1.0.0.0    GroupPolicy                                   
    Cmdlet          Remove-GPRegistryValue                             1.0.0.0    GroupPolicy                                   
    Cmdlet          Rename-GPO                                         1.0.0.0    GroupPolicy                                   
    Cmdlet          Restore-GPO                                        1.0.0.0    GroupPolicy                                   
    Cmdlet          Set-GPInheritance                                  1.0.0.0    GroupPolicy                                   
    Cmdlet          Set-GPLink                                         1.0.0.0    GroupPolicy                                   
    Cmdlet          Set-GPPermission                                   1.0.0.0    GroupPolicy                                   
    Cmdlet          Set-GPPrefRegistryValue                            1.0.0.0    GroupPolicy                                   
    Cmdlet          Set-GPRegistryValue                                1.0.0.0    GroupPolicy                                   
    
    
    
    PS C:\> get-help Set-GPPermission
    
    Name                              Category  Module                    Synopsis                                              
    ----                              --------  ------                    --------                                              
    Get-GPInheritance                 Cmdlet    GroupPolicy               Retrieves Group Policy inheritance information for ...
    New-GPLink                        Cmdlet    GroupPolicy               Links a GPO to a site, domain, or organizational un...
    New-GPO                           Cmdlet    GroupPolicy               Creates a new GPO.                                    
    
  • #43798

    Participant
    Points: -19
    Rank: Member

    As you'll need to work on the INF file, this might help :

    Powershell – GPO cmdlet to configure restricted groups

    also try following

    http://powershell.com/cs/forums/t/13812.aspx

    and the links in it, might give more info

  • #44085

    Participant
    Points: 71
    Rank: Member

    Arie,

    SDM looks promising. Have requested pricing info as it's based on # of GPO's and we have 500+ to have this operation performed against...they have written their own cmdlets to do the task:

    $gpo = get-sdmgpobject -gpoName "gpo://cpandl.com/GPAE Demo" -openbyName $container = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Restricted Groups"); $setting = $container.Settings.AddNew("Administrators") $members = [System.Collections.ArrayList]$setting.GetEx("Members") $members.Add("CPANDL\GPO Admins") $setting.PutEx([GPOSDK.PropOp]"PROPERTY_UPDATE", "Members", $members) $setting.Save() 
    

    Thank you...

  • #44193

    Participant
    Points: -19
    Rank: Member

    Yes they did, never the less you can follow Darren's reply and build something yourself.
    Its a INF file manipulation with SIDs of groups/users that you can get by other means.

    Not saying buying their solution is a bad thing but as you noted they based their prices on per gpo object
    so id would definitely start with writing your own code and see how it works from there.

    • #44196

      Participant
      Points: 71
      Rank: Member

      Arie,

      Where is "Darren's reply"?

    • #44966

      Participant
      Points: 71
      Rank: Member

      thanks I see the original SDM article you posted IS "Darren's reply". I didn't realize Darren = SDM

The topic ‘How can I add User to GPO Restricted Groups?’ is closed to new replies.