In this blog post, I will show you how to grant users and groups administrative permissions to Active Directory Group policy using PowerShell.
Giving users or groups administrative permissions to a group policy comes with four types of permissions, as shown below:
Apply Permission To a Single Policy
Below, I will create a new GPO and grant a group called Ops users the permissions to link it.
New-Gpo "WSUS Policy" -Verbose
Get-GPO "WSUS Policy" | Set-GPPermission -PermissionLevel GpoApply -TargetName "ops users" -TargetType Group
To check the permissions of the GPO, I will run the following cmdlet.
Get-GPPermission -Name "WSUS Policy" -TargetType Group -All | ft
Apply To All Group Policies
To apply permissions to all the GPOs in the forest, I will run the following code.
Get-GPO -All | Set-GPPermission -PermissionLevel GpoApply -TargetName "ops users" -TargetType Group