Does anyone know how to bypass the Set-GPPermissions prompt? I have an automated script that removes ‘Authenticated Users’ from the security filtering and I couldn´t find a way to bypass it.
I tried the following without any success
piped the command to out-null
caught the return value of the command into another variable
Final command looks like this
$ret=Set-GPPermissions -Name “testgpo” -TargetName “AUTHENTICATED USERS” -TargetType “Group” -PermissionLevel None -ErrorAction SilentlyContinue -Confirm:$false | out-null
And i still receive the following prompt
Group Policy requires each computer account to have permission to read GPO data from domain controller in order for User Group Policy Settings to be successfully applied. Removing the Authenticated Users group may prevent processing of User Group policies. For more information, please see https://go.microsoft.com/fwlink/?linkid=843010
Do you want to continue?
[Y] Yes [N] No [S] Suspend [?] Help (Default is “Y”):
Also, note that there is no -force option in this command…
I know after kb3163622 all computers must have read access to user GPOs, and I will be using another security group to this GPO above, so just wanted to avoid that prompt confirmation. Anyways in the next command in the script i am anyways adding READ permission for “Authenticated Users”
There is another link about this topic but no one seems to have a solution. The link can be found here: https://social.technet.microsoft.com/Forums/en-US/a9d12558-3dbe-4f29-9268-c682fcc48596/setgppermissions-always-prompting?forum=winserverpowershell
I wouldn’t expect Out-Null to work; the prompt isn’t part of the command’s output. Nor is this a PowerShell confirmation prompt, so I wouldn’t expect -confirm:$false to do anything. This is a prompt being generated internally by the command.
I’m not seeing a response to your posts on TechNet or UserVoice, so perhaps other folks aren’t running into this? That would make me suspect that it’s something in your environment which is triggering the prompt inside the command, and that the team who wrote the command hasn’t provided a way to suppress it. The most you could do, in that case, is open a bug report with Microsoft Product Support.
Try adding the read permissions first.
Read permission is already present before I attempt a remove of Apply permissions.
The way it works is that when Read permission is implicitly given when you give the Apply permission. Since the GPO was created with Apply permissions for Authenticated Users, it also had the Read permissions for Authenticated Users.
When we remove the Apply permission, following the rule above, it also implicitly takes out Read permissions for the user. Hence the cause of the prompt. That’s why my script has the next statement to give explicit Read permissions after removing Apply permissions.
Regarding your statement "I’m not seeing a response to your posts on TechNet or UserVoice, so perhaps other folks aren’t running into this? "
I think everyone can reproduce this issue provided they have the 2016 OS with the latest updates. I observed that this issue was not present in an older 2016 OS version. After that, I used another 2016 OS version that had 2 more critical updates (KB402384, KB402273). It is in this OS version that I am seeing the issue of prompts.
Inorder to isolate which of the 2 updates was causing this I tried to uninstall one of the updates but unfortunately, I could not uninstall them as they are critical updates.
What if you added “domain computers” with read permissions, then removed authenticated users?
I did that too. But still, the prompt appears. this is what I did in the script
- Add Read permissions to Domain computers
- Remove Apply permissions for Authenticated Users (this is step that causes prompt to appear)
- Add Read permissions to Authenticated users.
Thank you, Jon. I appreciate your help. Please post me when you receive a response. Can you also send me the link to the case (if it can be viewed by the public)?
I’m not opening the case, I was suggesting you should.
Sorry I misread your post.
Yes. I will open a case with MS.