June 8, 2017 at 12:15 pm #13920June 8, 2017 at 1:56 pm #13922
Are you looking to set more granular permissions than the standard permissions exposed in the Set-GPPermission cmdlet?
DarrenJune 9, 2017 at 5:58 am #13923
Yes, I am attempting to set the “special” permissions that are exposed when you look at the GPO advanced security options.
So far I have tried the below:
Method 1 – XML Report
$xmlReport = $gpo.GenerateReport('xml')
This command only returns the name of the trustee. Also includes some properties that I am uncertain if pertinent.
Method 2 – ADSI/LDAP object
$GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
This method returns the group and the permissions but not in a granular fashion. “FileSystemRights” returned are “FullControl” for ACLs that I know are considered custom/special with granular permissions.
Method 3 – Get-GPPermission
Get-GPPermission $gpoWithAppSpec -all | select -ExpandProperty permission
Returns permissions similar to those available to Set-GPPermission such as “GpoApply”, “GpoEditDeleteModifySecurity”, “GpoRead”. Again, these are not granular permissions.June 9, 2017 at 10:20 am #13924
OK. Yea, that’s not altogether straightforward. You can get the actual SecurityDescriptor using the GPMC COM objects (https://msdn.microsoft.com/en-us/library/aa814216(v=vs.85).aspx). That method returns a COM object of type IADsSecurityDescriptor, which will likely give you the granularity you’re after. The only problem is that it’s not altogether getting access to this from PowerShell.
You must be logged in to reply to this topic.
- Quirks in Restricted Groups Policy on AD Groups
- Understanding the Registry Policy Archive File
- Hijacking Administrative Templates
- What Does Group Policy Do When It Can’t Contact a DC?
- Sending GPOs Down the Wrong Track–Redirecting the GPT