Setting GPO security filter with powershell Set-GPPermissions cmdlet
Solution 1
As documented on the page you referenced, the command would replace already existing permissions
of a group "myGroup". It won't replace permissions for a group "Authenticated Users" with permissions for a group "myGroup". Quoting from Technet:
-Replace < SwitchParameter >
Specifies that the existing permission level for the group or user is removed before the new permission level is set.
You'll have to use Set-GPPermissions
to grant permissions to "myGroup" and Set-GPPermissions -TargetName "Authenticated Users -PermissionLevel None
to remove permissions for "Authenticated Users".
Solution 2
I found that it's sufficient to set the Authenticated User permissionlevel to none like this:
Set-GPPermissions -Name "MyGPO" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group
That removed the "Authenticated Users" security filter.
Solution 3
I think you should have accepted Ansgar's or user1458620's answer; they're correct. Here is a final solution incorporating the same:
$gpo | Set-GPPermissions -Replace -PermissionLevel None -TargetName 'Authenticated Users' -TargetType group
$gpo | Set-GPPermissions -PermissionLevel gpoapply -TargetName 'MyGroup' -TargetType group
Related videos on Youtube
user1458620
Updated on June 04, 2022Comments
-
user1458620 almost 2 years
According to Microsoft the cmdlet Set-GPPermissions accepts the option "-replace":
"This ensures that the existing permission level is replaced by the new permission level."
I import a GPO from PowerShell. After that I want to set the security filters. After importing, before setting the security filter, the Security Filtering of the GPO is "Authenticated Users". Now I want to remove that filter option and replace it with "myGroup". To do so I use the following command:
Set-GPPermissions -Name "myGPO" -PermissionLevel GpoApply -TargetName "myGroup" -TargetType Group -replace
The results are that there is a new security filter added which references "myGroup", but the Group "Authenticated Users" is not being removed. The Powershell cmdlet is not replacing the filter, it's adding it.
Hints?
Thanks in advance!
-
user1458620 over 11 yearsThanks for the reply, but I still don't get it. There is no command called
Remove-GPPermission
. Besides I wonder if that's the correct cmdlet since I want to add a security filter, not a permission. Ain't that the opposite? -
user1458620 over 11 yearsI found that it's sufficient to set the
Authenticated User
permissionlevel tonone
like this:Set-GPPermissions -Name "MyGPO" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group
That was it. Thanks anyway! -
Ansgar Wiechers over 11 yearsSorry, I was confused. Indeed there is no cmdlet
Remove-GPPermission
and you have to useSet-GPPermission -PermissionLevel None
to revoke existing permissions. It's now fixed in my answer. My point was that the-Replace
option refers to the-TargetName
, so using-TargetName "myGroup" -Replace
will replace permissions for "myGroup", not for any other existing target.