Delegating Permissions to Group Policy Objects using PowerShell

Today I was asked to delegate permissions to a very large set of group policy objects.  My first thought was “ugh!” as I envisioned going though each and everyone in the Group Policy Management Console (GPMC).  A moment later my outlook changed when I realized I could just use PowerShell and make the changes in short order.  Here’s how:

First, I need to load the Active Directory and Group Policy modules in PowerShell.  If you don’t have access to these modules then you need to install the Remote Server Administration Tools (RSAT) for Windows 7 w/ Service Pack 1.  The RSAT tools are built into Windows Server 2008 R2 and just need to be activated .  On Windows 7, once installed, you can activate the Active Directory Module as a unique Windows Feature.  The Group Policy Module will be activated when you activate the Group Policy Management Tools feature, which include the GPMC.  Once you’re past that, loading them is a breeze:

import-module activedirectory

import-module grouppolicy

Second, I need to get the list of Group Policy Objects in question.  I know I have a large number of GPO’s, but I’m only interested in a subset.  Fortunately, I know that all the GPO’s I’m interested in begin with “SweeneyOps” so I’ll adjust my query to return only GPO’s with that prefix.  We get the list of GPO’s using the Get-GPO cmdlet, and will dump the resulting set into a variable called $GPOList.

$GPOList = get-gpo –all | where{$_.displayname –like “SweeneyOps*”}

Now that I have all my GPO’s I can iterate through that list to grant permissions to a specific security group, but first in need the group.  For the sake of argument, we’ll call this group “GPO-Admins.”  The Group Policy cmdlet that we’re going to use actually requires that we provide either the domain-qualified name of the security principal (domain\account), or the sAMAccountName of the user, group or computer that we will be granting permissions.  In this case we are granting permissions to a group, and I find it easiest to use the sAMAccountName, so I’ll grab that and place it in a variable called $group.

$group = $(get-adgroup “GPO-Admins”).sAMAccountName

Ok, group in tow, we can proceed to the delegation.  To do this, we’re going to use the Set-GPPermissions cmdlet. In this case I just happen to want to grant (nearly) full access to the group, so I’ll use GpoEditDeleteModifySecurity as the value for the PermissionLevel parameter.

$gpolist | foreach{set-gppermissions -guid $ -targetname $group -targettype Group -PermissionLevel GpoEditDeleteModifySecurity}

And we’re done!  This process will differ slightly in each environment of course. You may need to specify a different domain, or server, or you might need to allocate permissions to multiple groups, etc…  The fundamental principal remains the same, however.  Get your GPO(s), get your group(s), select the level of access, and then delegate access using the Set-GPPermissions cmdlet. 

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: