Give Administrative Group Policy Permissions With PowerShell

In this blog post, I will show you how to grant users and groups administrative permissions to Active Directory Group policy using PowerShell.

Giving users or groups administrative permissions to a group policy comes with four types of permissions, as shown below:

  • GpoRead
  • GpoApply
  • GpoEdit
  • GpoEditDeleteModifySecurity

Apply Permission To a Single Policy

Below, I will create a new GPO and grant a group called Ops users the permissions to link it.

New-Gpo "WSUS Policy" -Verbose
Get-GPO "WSUS Policy" | Set-GPPermission -PermissionLevel GpoApply -TargetName "ops users" -TargetType Group

To check the permissions of the GPO, I will run the following cmdlet.

Get-GPPermission -Name "WSUS Policy" -TargetType Group -All | ft

Apply To All Group Policies

To apply permissions to all the GPOs in the forest, I will run the following code.

Get-GPO -All | Set-GPPermission -PermissionLevel GpoApply -TargetName "ops users" -TargetType Group

Success! You're on the list.