Give Administrative Group Policy Permissions With PowerShell

In this blog post, I will show you how to grant users and groups administrative permissions to Active Directory Group policy using PowerShell.

Giving users or groups administrative permissions to a group policy comes with four types of permissions, as shown below:

  • GpoRead
  • GpoApply
  • GpoEdit
  • GpoEditDeleteModifySecurity

Apply Permission To a Single Policy

Below, I will create a new GPO and grant a group called Ops users the permissions to link it.

New-Gpo "WSUS Policy" -Verbose
Get-GPO "WSUS Policy" | Set-GPPermission -PermissionLevel GpoApply -TargetName "ops users" -TargetType Group

To check the permissions of the GPO, I will run the following cmdlet.

Get-GPPermission -Name "WSUS Policy" -TargetType Group -All | ft

Apply To All Group Policies

To apply permissions to all the GPOs in the forest, I will run the following code.

Get-GPO -All | Set-GPPermission -PermissionLevel GpoApply -TargetName "ops users" -TargetType Group

By clicking submit, you agree to share your email address with the site owner and Mailchimp to receive marketing, updates, and other emails from the site owner. Use the unsubscribe link in those emails to opt out at any time.

Processing…
Success! You're on the list.

Posted

in

,

by

NTW – Content Network