Set-GPPermissions always prompting

Welcome Forums General PowerShell Q&A Set-GPPermissions always prompting

This topic contains 10 replies, has 3 voices, and was last updated by

 
Participant
1 year, 9 months ago.

  • Author
    Posts
  • #76960

    Participant
    Topics: 11
    Replies: 16
    Points: 0
    Rank: Member

    Does anyone know how to bypass the Set-GPPermissions prompt? I have an automated script that removes 'Authenticated Users' from the security filtering and I couldn´t find a way to bypass it.
    I tried the following without any success
    -Confirm:$false
    piped the command to out-null
    caught the return value of the command into another variable
    Final command looks like this

    $ret=Set-GPPermissions -Name "testgpo" -TargetName "AUTHENTICATED USERS" -TargetType "Group" -PermissionLevel None -ErrorAction SilentlyContinue -Confirm:$false | out-null

    And i still receive the following prompt

    Group Policy requires each computer account to have permission to read GPO data from domain controller in order for User Group Policy Settings to be successfully applied. Removing the Authenticated Users group may prevent processing of User Group policies. For more information, please see https://go.microsoft.com/fwlink/?linkid=843010
    Do you want to continue?
    [Y] Yes [N] No Suspend [?] Help (Default is "Y"):

    Also, note that there is no -force option in this command..
    I know after kb3163622 all computers must have read access to user GPOs, and I will be using another security group to this GPO above, so just wanted to avoid that prompt confirmation. Anyways in the next command in the script i am anyways adding READ permission for "Authenticated Users"

    There is another link about this topic but no one seems to have a solution. The link can be found here: https://social.technet.microsoft.com/Forums/en-US/a9d12558-3dbe-4f29-9268-c682fcc48596/setgppermissions-always-prompting?forum=winserverpowershell

  • #77109

    Keymaster
    Topics: 13
    Replies: 4872
    Points: 1,811
    Helping HandTeam Member
    Rank: Community Hero

    I wouldn't expect Out-Null to work; the prompt isn't part of the command's output. Nor is this a PowerShell confirmation prompt, so I wouldn't expect -confirm:$false to do anything. This is a prompt being generated internally by the command.

    I'm not seeing a response to your posts on TechNet or UserVoice, so perhaps other folks aren't running into this? That would make me suspect that it's something in your environment which is triggering the prompt inside the command, and that the team who wrote the command hasn't provided a way to suppress it. The most you could do, in that case, is open a bug report with Microsoft Product Support.

    • #77142

      Participant
      Topics: 11
      Replies: 16
      Points: 0
      Rank: Member

      Regarding your statement "I'm not seeing a response to your posts on TechNet or UserVoice, so perhaps other folks aren't running into this? "

      I think everyone can reproduce this issue provided they have the 2016 OS with the latest updates. I observed that this issue was not present in an older 2016 OS version. After that, I used another 2016 OS version that had 2 more critical updates (KB402384, KB402273). It is in this OS version that I am seeing the issue of prompts.
      Inorder to isolate which of the 2 updates was causing this I tried to uninstall one of the updates but unfortunately, I could not uninstall them as they are critical updates.

      -vamsee

  • #77134
    Jon

    Participant
    Topics: 13
    Replies: 219
    Points: 90
    Rank: Member

    Try adding the read permissions first.

    • #77140

      Participant
      Topics: 11
      Replies: 16
      Points: 0
      Rank: Member

      Read permission is already present before I attempt a remove of Apply permissions.
      The way it works is that when Read permission is implicitly given when you give the Apply permission. Since the GPO was created with Apply permissions for Authenticated Users, it also had the Read permissions for Authenticated Users.

      When we remove the Apply permission, following the rule above, it also implicitly takes out Read permissions for the user. Hence the cause of the prompt. That's why my script has the next statement to give explicit Read permissions after removing Apply permissions.

  • #77146
    Jon

    Participant
    Topics: 13
    Replies: 219
    Points: 90
    Rank: Member

    What if you added "domain computers" with read permissions, then removed authenticated users?

    • #77148

      Participant
      Topics: 11
      Replies: 16
      Points: 0
      Rank: Member

      I did that too. But still, the prompt appears. this is what I did in the script
      1) Add Read permissions to Domain computers
      2) Remove Apply permissions for Authenticated Users (this is step that causes prompt to appear)
      3) Add Read permissions to Authenticated users.

    • #77154
      Jon

      Participant
      Topics: 13
      Replies: 219
      Points: 90
      Rank: Member

      I'd open a case with MS.

    • #77157

      Participant
      Topics: 11
      Replies: 16
      Points: 0
      Rank: Member

      Thank you, Jon. I appreciate your help. Please post me when you receive a response. Can you also send me the link to the case (if it can be viewed by the public)?

  • #77167
    Jon

    Participant
    Topics: 13
    Replies: 219
    Points: 90
    Rank: Member

    I'm not opening the case, I was suggesting you should.

    • #77173

      Participant
      Topics: 11
      Replies: 16
      Points: 0
      Rank: Member

      Sorry I misread your post.
      Yes. I will open a case with MS.

The topic ‘Set-GPPermissions always prompting’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort