Setting GPO security filter with powershell Set-GPPermissions cmdlet

security powershell filter cmdlet gpo
19,351

Solution 1

As documented on the page you referenced, the command would replace already existing permissions of a group "myGroup". It won't replace permissions for a group "Authenticated Users" with permissions for a group "myGroup". Quoting from Technet:

-Replace < SwitchParameter >

Specifies that the existing permission level for the group or user is removed before the new permission level is set.

You'll have to use Set-GPPermissions to grant permissions to "myGroup" and Set-GPPermissions -TargetName "Authenticated Users -PermissionLevel None to remove permissions for "Authenticated Users".

Solution 2

I found that it's sufficient to set the Authenticated User permissionlevel to none like this: 

Set-GPPermissions -Name "MyGPO" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group

That removed the "Authenticated Users" security filter.

Solution 3

I think you should have accepted Ansgar's or user1458620's answer; they're correct. Here is a final solution incorporating the same:

$gpo | Set-GPPermissions -Replace -PermissionLevel None -TargetName 'Authenticated Users' -TargetType group 
$gpo | Set-GPPermissions -PermissionLevel gpoapply -TargetName 'MyGroup' -TargetType group
Share:
19,351

Related videos on Youtube

user1458620
Author by

user1458620

Updated on June 04, 2022

Comments

  • user1458620
    user1458620 almost 2 years

    According to Microsoft the cmdlet Set-GPPermissions accepts the option "-replace":

    "This ensures that the existing permission level is replaced by the new permission level."

    I import a GPO from PowerShell. After that I want to set the security filters. After importing, before setting the security filter, the Security Filtering of the GPO is "Authenticated Users". Now I want to remove that filter option and replace it with "myGroup". To do so I use the following command:

    Set-GPPermissions -Name "myGPO" -PermissionLevel GpoApply -TargetName "myGroup" -TargetType Group -replace

    The results are that there is a new security filter added which references "myGroup", but the Group "Authenticated Users" is not being removed. The Powershell cmdlet is not replacing the filter, it's adding it.

    Hints?

    Thanks in advance!

  • user1458620
    user1458620 over 11 years
    Thanks for the reply, but I still don't get it. There is no command called Remove-GPPermission. Besides I wonder if that's the correct cmdlet since I want to add a security filter, not a permission. Ain't that the opposite?
  • user1458620
    user1458620 over 11 years
    I found that it's sufficient to set the Authenticated User permissionlevel to none like this: Set-GPPermissions -Name "MyGPO" -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group That was it. Thanks anyway!
  • Ansgar Wiechers
    Ansgar Wiechers over 11 years
    Sorry, I was confused. Indeed there is no cmdlet Remove-GPPermission and you have to use Set-GPPermission -PermissionLevel None to revoke existing permissions. It's now fixed in my answer. My point was that the -Replace option refers to the -TargetName, so using -TargetName "myGroup" -Replace will replace permissions for "myGroup", not for any other existing target.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Security Warning when running scripts - Unblock-File not unblocking file
PowerShell Snapin Cmdlet CommandNotFoundException
Download Multiple Files from http using Powershell with proper names
How to set Windows Services permissions from Powershell?
powershell Get-NetAdapter command not recognized
Return only files with Get-childitem in powershell 2
Add group "Everyone" to directory and all of it's sub-directories
Is there a limit to the number of IP addresses for a Windows Firewall rule's Scope?
How safe is it to enable WinRM / PSRemoting on an internet-facing machine?
How to sign a PowerShell script easily?