PowerShell set GPO permissions SDDL

[toledotownParticipant]

Hello,

Has anyone set GPO permissions using PowerShell? I am looking to set granular permissions such as the SDDL permissions.

[Darren Mar-EliaKeymaster]

Are you looking to set more granular permissions than the standard permissions exposed in the Set-GPPermission cmdlet?

Darren

[toledotownParticipant]

Hi Darren.

Yes, I am attempting to set the “special” permissions that are exposed when you look at the GPO advanced security options.

So far I have tried the below:

Method 1 – XML Report

$xmlReport = $gpo.GenerateReport('xml')

This command only returns the name of the trustee. Also includes some properties that I am uncertain if pertinent.

Method 2 – ADSI/LDAP object

$GPOACLList = $GPOObjSec.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier])

This method returns the group and the permissions but not in a granular fashion. “FileSystemRights” returned are “FullControl” for ACLs that I know are considered custom/special with granular permissions.

Method 3 – Get-GPPermission

Get-GPPermission $gpoWithAppSpec -all | select -ExpandProperty permission

Returns permissions similar to those available to Set-GPPermission such as “GpoApply”, “GpoEditDeleteModifySecurity”, “GpoRead”. Again, these are not granular permissions.

[Darren Mar-EliaKeymaster]

OK. Yea, that’s not altogether straightforward. You can get the actual SecurityDescriptor using the GPMC COM objects (https://msdn.microsoft.com/en-us/library/aa814216(v=vs.85).aspx). That method returns a COM object of type IADsSecurityDescriptor, which will likely give you the granularity you’re after. The only problem is that it’s not altogether getting access to this from PowerShell.

D

[Author]

Posts