How can I add a User to a long list of GPOs’ Restricted Users BUILTIN\Administrators node of the GPO? I searched Get-Command “GroupPolicy” but not seeing any cmdlet addressing this request.
You’ll need the Group Policy cmdlets installed to be able to do anything GPO related with PowerShell.
https://technet.microsoft.com/en-us/library/ee461027.aspx
Not sure that in itself is enough to do what you are looking to do, but if you go over the cmdlets and their examples you might find that specific entry.
Those cmdlets are in the RSAT, and their prefix is “GP.” E.g…
Get-Command -noun gp*
none of those cmdlets help with adding a User to said GPOs Restricted Groups.
PS C:\> Get-Command -noun gp* CommandType Name Version Source ----------- ---- ------- ------ Alias Get-GPPermissions 1.0.0.0 GroupPolicy Alias Set-GPPermissions 1.0.0.0 GroupPolicy Cmdlet Backup-GPO 1.0.0.0 GroupPolicy Cmdlet Block-GPInheritance 1.0.0.0 GroupPolicy Cmdlet Copy-GPO 1.0.0.0 GroupPolicy Cmdlet Get-GPInheritance 1.0.0.0 GroupPolicy Cmdlet Get-GPO 1.0.0.0 GroupPolicy Cmdlet Get-GPOReport 1.0.0.0 GroupPolicy Cmdlet Get-GPPermission 1.0.0.0 GroupPolicy Cmdlet Get-GPPrefRegistryValue 1.0.0.0 GroupPolicy Cmdlet Get-GPRegistryValue 1.0.0.0 GroupPolicy Cmdlet Get-GPResultantSetOfPolicy 1.0.0.0 GroupPolicy Cmdlet Get-GPStarterGPO 1.0.0.0 GroupPolicy Cmdlet Import-GPO 1.0.0.0 GroupPolicy Cmdlet Invoke-GPUpdate 1.0.0.0 GroupPolicy Cmdlet New-GPLink 1.0.0.0 GroupPolicy Cmdlet New-GPO 1.0.0.0 GroupPolicy Cmdlet New-GPStarterGPO 1.0.0.0 GroupPolicy Cmdlet Remove-GPLink 1.0.0.0 GroupPolicy Cmdlet Remove-GPO 1.0.0.0 GroupPolicy Cmdlet Remove-GPPrefRegistryValue 1.0.0.0 GroupPolicy Cmdlet Remove-GPRegistryValue 1.0.0.0 GroupPolicy Cmdlet Rename-GPO 1.0.0.0 GroupPolicy Cmdlet Restore-GPO 1.0.0.0 GroupPolicy Cmdlet Set-GPInheritance 1.0.0.0 GroupPolicy Cmdlet Set-GPLink 1.0.0.0 GroupPolicy Cmdlet Set-GPPermission 1.0.0.0 GroupPolicy Cmdlet Set-GPPrefRegistryValue 1.0.0.0 GroupPolicy Cmdlet Set-GPRegistryValue 1.0.0.0 GroupPolicy PS C:\> get-help Set-GPPermission Name Category Module Synopsis ---- -------- ------ -------- Get-GPInheritance Cmdlet GroupPolicy Retrieves Group Policy inheritance information for ... New-GPLink Cmdlet GroupPolicy Links a GPO to a site, domain, or organizational un... New-GPO Cmdlet GroupPolicy Creates a new GPO.
Since the Group Policy cmdlets don’t allow this, is there a way to leverage another set of cmdlets to do this task? I have way too many GPO’s to do this manually
As you’ll need to work on the INF file, this might help :
https://sdmsoftware.com/forums/topic/powershell-gpo-cmdlet-to-configure-restricted-groups/
also try following
http://powershell.com/cs/forums/t/13812.aspx
and the links in it, might give more info
Arie,
SDM looks promising. Have requested pricing info as it’s based on # of GPO’s and we have 500+ to have this operation performed against…they have written their own cmdlets to do the task:
$gpo = get-sdmgpobject -gpoName "gpo://cpandl.com/GPAE Demo" -openbyName $container = $gpo.GetObject("Computer Configuration/Windows Settings/Security Settings/Restricted Groups"); $setting = $container.Settings.AddNew("Administrators") $members = [System.Collections.ArrayList]$setting.GetEx("Members") $members.Add("CPANDL\GPO Admins") $setting.PutEx([GPOSDK.PropOp]"PROPERTY_UPDATE", "Members", $members) $setting.Save()
Thank you…
Yes they did, never the less you can follow Darren’s reply and build something yourself.
Its a INF file manipulation with SIDs of groups/users that you can get by other means.
Not saying buying their solution is a bad thing but as you noted they based their prices on per gpo object
so id would definitely start with writing your own code and see how it works from there.
Arie,
Where is “Darren’s reply”?
thanks I see the original SDM article you posted IS “Darren’s reply”. I didn’t realize Darren = SDM