This topic contains 9 replies, has 3 voices, and was last updated by
June 17, 2016 at 5:11 pm #43732
How can I add a User to a long list of GPOs' Restricted Users BUILTIN\Administrators node of the GPO? I searched Get-Command "*GroupPolicy*" but not seeing any cmdlet addressing this request.
June 17, 2016 at 5:59 pm #43738
You'll need the Group Policy cmdlets installed to be able to do anything GPO related with PowerShell.
Not sure that in itself is enough to do what you are looking to do, but if you go over the cmdlets and their examples you might find that specific entry.
June 17, 2016 at 9:47 pm #43795
Since the Group Policy cmdlets don't allow this, is there a way to leverage another set of cmdlets to do this task? I have way too many GPO's to do this manually
June 17, 2016 at 6:02 pm #43740KeymasterTopics: 13Replies: 4872Points: 1,813Rank: Community Hero
Those cmdlets are in the RSAT, and their prefix is "GP." E.g...
Get-Command -noun gp*
June 17, 2016 at 7:15 pm #43772
none of those cmdlets help with adding a User to said GPOs Restricted Groups.
PS C:\> Get-Command -noun gp* CommandType Name Version Source ----------- ---- ------- ------ Alias Get-GPPermissions 184.108.40.206 GroupPolicy Alias Set-GPPermissions 220.127.116.11 GroupPolicy Cmdlet Backup-GPO 18.104.22.168 GroupPolicy Cmdlet Block-GPInheritance 22.214.171.124 GroupPolicy Cmdlet Copy-GPO 126.96.36.199 GroupPolicy Cmdlet Get-GPInheritance 188.8.131.52 GroupPolicy Cmdlet Get-GPO 184.108.40.206 GroupPolicy Cmdlet Get-GPOReport 220.127.116.11 GroupPolicy Cmdlet Get-GPPermission 18.104.22.168 GroupPolicy Cmdlet Get-GPPrefRegistryValue 22.214.171.124 GroupPolicy Cmdlet Get-GPRegistryValue 126.96.36.199 GroupPolicy Cmdlet Get-GPResultantSetOfPolicy 188.8.131.52 GroupPolicy Cmdlet Get-GPStarterGPO 184.108.40.206 GroupPolicy Cmdlet Import-GPO 220.127.116.11 GroupPolicy Cmdlet Invoke-GPUpdate 18.104.22.168 GroupPolicy Cmdlet New-GPLink 22.214.171.124 GroupPolicy Cmdlet New-GPO 126.96.36.199 GroupPolicy Cmdlet New-GPStarterGPO 188.8.131.52 GroupPolicy Cmdlet Remove-GPLink 184.108.40.206 GroupPolicy Cmdlet Remove-GPO 220.127.116.11 GroupPolicy Cmdlet Remove-GPPrefRegistryValue 18.104.22.168 GroupPolicy Cmdlet Remove-GPRegistryValue 22.214.171.124 GroupPolicy Cmdlet Rename-GPO 126.96.36.199 GroupPolicy Cmdlet Restore-GPO 188.8.131.52 GroupPolicy Cmdlet Set-GPInheritance 184.108.40.206 GroupPolicy Cmdlet Set-GPLink 220.127.116.11 GroupPolicy Cmdlet Set-GPPermission 18.104.22.168 GroupPolicy Cmdlet Set-GPPrefRegistryValue 22.214.171.124 GroupPolicy Cmdlet Set-GPRegistryValue 126.96.36.199 GroupPolicy PS C:\> get-help Set-GPPermission Name Category Module Synopsis ---- -------- ------ -------- Get-GPInheritance Cmdlet GroupPolicy Retrieves Group Policy inheritance information for ... New-GPLink Cmdlet GroupPolicy Links a GPO to a site, domain, or organizational un... New-GPO Cmdlet GroupPolicy Creates a new GPO.
June 17, 2016 at 10:21 pm #43798
As you'll need to work on the INF file, this might help :
also try following
and the links in it, might give more info
June 20, 2016 at 10:45 pm #44085
SDM looks promising. Have requested pricing info as it's based on # of GPO's and we have 500+ to have this operation performed against...they have written their own cmdlets to do the task:
$gpo = get-sdmgpobject -gpoName "gpo://cpandl.com/GPAE Demo" -openbyName $container = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Restricted Groups"); $setting = $container.Settings.AddNew("Administrators") $members = [System.Collections.ArrayList]$setting.GetEx("Members") $members.Add("CPANDL\GPO Admins") $setting.PutEx([GPOSDK.PropOp]"PROPERTY_UPDATE", "Members", $members) $setting.Save()
June 21, 2016 at 5:49 pm #44193
Yes they did, never the less you can follow Darren's reply and build something yourself.
Its a INF file manipulation with SIDs of groups/users that you can get by other means.
Not saying buying their solution is a bad thing but as you noted they based their prices on per gpo object
so id would definitely start with writing your own code and see how it works from there.
The topic ‘How can I add User to GPO Restricted Groups?’ is closed to new replies.