August 14, 2013 at 7:33 am #12503
is there not a simple GPO cmdlet to configure restricted groups?
Or are they supported solution points:
1) Get SID for each security group
2) Edit GPO’s GptTmpl.inf following section
*S-1-5-21-2289399392-3811498695-2220273245-1319__Memberof = *S-1-5-32-544
Does anyone have such a ps-script for configuring the GPO restricted groups?
Which solution Microsoft recommends using restricted groups GPO and Powershell ?
Thanks for any assistanceAugust 14, 2013 at 9:56 am #12504
Hey there. Microsoft doesn’t have anything official to do this via PowerShell. My company built our commercial Group Policy Automation Engine (GPAE) http://sdmsoftware.com/group-policy-management-products/group-policy-automation-engine/ to allow automation of GP settings modification via PowerShell, and we handle Restricted Groups as part of that. As you’ve noted, modifying those policies includes updating the gpttmpl.inf file as part of the process, and for just Restricted Groups, you could use PowerShell to get the SID of a group and plug it into that file. The following PowerShell snippet gets the SID for the “Marketing Users” group in the cpandl.com domain:
$objGroup = New-Object System.Security.Principal.NTAccount(“cpandl.com”,”Marketing Users”)
$strSID = $objGroup.Translate([System.Security.Principal.SecurityIdentifier])
Hope that helps.
You must be logged in to reply to this topic.
- Hijacking Administrative Templates
- What Does Group Policy Do When It Can’t Contact a DC?
- Sending GPOs Down the Wrong Track–Redirecting the GPT
- Group Policy Security– Tinkering with External Paths
- Speaking in Chicago Next Month!