Set-GPPermissions always prompting

This topic contains 10 replies, has 3 voices, and was last updated by  vamsee 2 months, 1 week ago.

  • Author
    Posts
  • #76960

    vamsee
    Participant

    Does anyone know how to bypass the Set-GPPermissions prompt? I have an automated script that removes 'Authenticated Users' from the security filtering and I couldn´t find a way to bypass it.
    I tried the following without any success
    -Confirm:$false
    piped the command to out-null
    caught the return value of the command into another variable
    Final command looks like this

    $ret=Set-GPPermissions -Name "testgpo" -TargetName "AUTHENTICATED USERS" -TargetType "Group" -PermissionLevel None -ErrorAction SilentlyContinue -Confirm:$false | out-null

    And i still receive the following prompt

    Group Policy requires each computer account to have permission to read GPO data from domain controller in order for User Group Policy Settings to be successfully applied. Removing the Authenticated Users group may prevent processing of User Group policies. For more information, please see https://go.microsoft.com/fwlink/?linkid=843010
    Do you want to continue?
    [Y] Yes [N] No [S] Suspend [?] Help (Default is "Y"):

    Also, note that there is no -force option in this command..
    I know after kb3163622 all computers must have read access to user GPOs, and I will be using another security group to this GPO above, so just wanted to avoid that prompt confirmation. Anyways in the next command in the script i am anyways adding READ permission for "Authenticated Users"

    There is another link about this topic but no one seems to have a solution. The link can be found here: https://social.technet.microsoft.com/Forums/en-US/a9d12558-3dbe-4f29-9268-c682fcc48596/setgppermissions-always-prompting?forum=winserverpowershell

  • #77109

    Don Jones
    Keymaster

    I wouldn't expect Out-Null to work; the prompt isn't part of the command's output. Nor is this a PowerShell confirmation prompt, so I wouldn't expect -confirm:$false to do anything. This is a prompt being generated internally by the command.

    I'm not seeing a response to your posts on TechNet or UserVoice, so perhaps other folks aren't running into this? That would make me suspect that it's something in your environment which is triggering the prompt inside the command, and that the team who wrote the command hasn't provided a way to suppress it. The most you could do, in that case, is open a bug report with Microsoft Product Support.

    • #77142

      vamsee
      Participant

      Regarding your statement "I'm not seeing a response to your posts on TechNet or UserVoice, so perhaps other folks aren't running into this? "

      I think everyone can reproduce this issue provided they have the 2016 OS with the latest updates. I observed that this issue was not present in an older 2016 OS version. After that, I used another 2016 OS version that had 2 more critical updates (KB402384, KB402273). It is in this OS version that I am seeing the issue of prompts.
      Inorder to isolate which of the 2 updates was causing this I tried to uninstall one of the updates but unfortunately, I could not uninstall them as they are critical updates.

      -vamsee

  • #77134

    Jon
    Participant

    Try adding the read permissions first.

    • #77140

      vamsee
      Participant

      Read permission is already present before I attempt a remove of Apply permissions.
      The way it works is that when Read permission is implicitly given when you give the Apply permission. Since the GPO was created with Apply permissions for Authenticated Users, it also had the Read permissions for Authenticated Users.

      When we remove the Apply permission, following the rule above, it also implicitly takes out Read permissions for the user. Hence the cause of the prompt. That's why my script has the next statement to give explicit Read permissions after removing Apply permissions.

  • #77146

    Jon
    Participant

    What if you added "domain computers" with read permissions, then removed authenticated users?

    • #77148

      vamsee
      Participant

      I did that too. But still, the prompt appears. this is what I did in the script
      1) Add Read permissions to Domain computers
      2) Remove Apply permissions for Authenticated Users (this is step that causes prompt to appear)
      3) Add Read permissions to Authenticated users.

    • #77154

      Jon
      Participant

      I'd open a case with MS.

    • #77157

      vamsee
      Participant

      Thank you, Jon. I appreciate your help. Please post me when you receive a response. Can you also send me the link to the case (if it can be viewed by the public)?

  • #77167

    Jon
    Participant

    I'm not opening the case, I was suggesting you should.

    • #77173

      vamsee
      Participant

      Sorry I misread your post.
      Yes. I will open a case with MS.

You must be logged in to reply to this topic.