Home › Forums › GPTalk Forum › PowerShell set GPO permissions SDDL
This topic contains 3 replies, has 2 voices, and was last updated by Darren Mar-Elia 2 years, 6 months ago.
-
AuthorPosts
-
June 8, 2017 at 12:15 pm #13920
Hello,
Has anyone set GPO permissions using PowerShell? I am looking to set granular permissions such as the SDDL permissions.
June 8, 2017 at 1:56 pm #13922Are you looking to set more granular permissions than the standard permissions exposed in the Set-GPPermission cmdlet?
Darren
June 9, 2017 at 5:58 am #13923Hi Darren.
Yes, I am attempting to set the “special” permissions that are exposed when you look at the GPO advanced security options.
So far I have tried the below:
Method 1 – XML Report
$xmlReport = $gpo.GenerateReport('xml')
This command only returns the name of the trustee. Also includes some properties that I am uncertain if pertinent.
Method 2 – ADSI/LDAP object
$GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])
This method returns the group and the permissions but not in a granular fashion. “FileSystemRights” returned are “FullControl” for ACLs that I know are considered custom/special with granular permissions.
Method 3 – Get-GPPermission
Get-GPPermission $gpoWithAppSpec -all | select -ExpandProperty permission
Returns permissions similar to those available to Set-GPPermission such as “GpoApply”, “GpoEditDeleteModifySecurity”, “GpoRead”. Again, these are not granular permissions.
June 9, 2017 at 10:20 am #13924OK. Yea, that’s not altogether straightforward. You can get the actual SecurityDescriptor using the GPMC COM objects (https://msdn.microsoft.com/en-us/library/aa814216(v=vs.85).aspx). That method returns a COM object of type IADsSecurityDescriptor, which will likely give you the granularity you’re after. The only problem is that it’s not altogether getting access to this from PowerShell.
D
-
AuthorPosts
You must be logged in to reply to this topic.
Recent Posts
- Quirks in Restricted Groups Policy on AD Groups
- Understanding the Registry Policy Archive File
- Hijacking Administrative Templates
- What Does Group Policy Do When It Can’t Contact a DC?
- Sending GPOs Down the Wrong Track–Redirecting the GPT