Edit group policies

I have many group policies. I want to find a setting in all my gpos and then edit the same setting in all the gpo’s using powershell.

Specifically, I have Restricted Group settings defined in multiple GPO’s.I want to find all the policies with restricted group settings defined which have the group “Account Operators” added as MemberOf and remove this group from MemberOf. If there are other groups added to the MemberOf apart from “Account Operators”, I want to leave them as it is and only remove the “Account Operators” group. So far I have something like this:

Get-GPO -All |
[xml]$xml = $_ | Get-GPOReport -ReportType Xml
if($xml.GPO.Computer.ExtensionData.Extension.RestrictedGroups.MemberOf.Name.’#text’ -like “Account”)



Where are you trying to do this?

Remember that if you have many DC’s / BDC’s, this will just be set back to where it was on the normal replication schedule. So, unless you force replication, on this change, you end up in a catch 22.

Unless, you are saying you are doing this in the PDC, potentially.

Anyway, I’d suggest replacing -like ‘Account’ with -match ‘Account’, then just use the Remove-ADGroupMember cmdlet to deal with that last part.

OK, took back my later part of the response, but you specifically said you want to remove the group, hence my original response. So, you are just trying to truncate the entry from the policy / the XML file.

Use the XML cmdlets to find the node you need to hit and replace the entry string.

Removing XML Elements using PowerShell

This is not an AD group. This is a group policy setting. It would not be as simple as running the Remove-ADGroupMember command.

I think we would first need to update the xml file and remove the “Account Operators” from the memberof in the xml file and import back the xml file

to that particular gpo. However I am not sure how to do this.

Anyone can help with this?

Would appreciate any assistance on the above requirement?

Any ideas on this issue?