Friday, March 6, 2015

Set Delegation rights on a specified GPO or all GPOs in your domain using Powershell

First you have to import the groupolicy module in powershell to execute cmdlets. This could be done with the following command:

import-module grouppolicy

Now you can use the following cmdlets to ease the Group Policy permission administration.
  • Get-GPPermissions (used to query permissions on GPOs)
  • Set-GPPermissions (used to apply permissions on GPOs)

In Windows Server 2012 the cmdlets will be without the s like "Get-GPPermission", but the old cmdlets also work, because Microsoft created an alias.


Find some examples to set permissions on GPOs.

This cmd sets the permission level for the "Test Users" security group to GpoRead for the GPO named "TestGPO1".

Set-GPPermissions -Name TestGPO1 -TargetName "Test Users" -TargetType Group -PermissionLevel GpoRead  


The following cmd sets the permission level for the "Sample GPO Read Access" security group to GpoRead on all GPOs in the domain.

Set-GPPermissions -All -TargetName "Sample GPO Read Access" -TargetType Group -PermissionLevel GpoRead


The following cmd sets the permission level for the "Sample GPO Edit Access" security group to GpoEdit on all GPOs in the domain.

Set-GPPermissions -All -TargetName "Sample GPO Edit Access" -TargetType Group -PermissionLevel GpoEdit



To verify that the commands works can use the "Get-GPPermissions" cmdlet to check it. See attached a sample to check if the first Set-GPPermissions command worked:

Get-GPPermissions -Name TestGPO1 -TargetName "Test Users" -TargetType Group

The console will show the following output:
-------------------------------------------
Trustee         : Test Users

TrusteeType     : Group

PermissionLevel : GpoRead

Inherited       : False   
--------------------------------------------

No comments:

Post a Comment