Remove Group Policy Permissions

361 Views Asked by Air_ At 23 October 2023 at 22:09

PowerShell for Active Directory Group Policy has a couple of ways to get permissions: if you get the GPO with Get-GPO, then $_.GetSecurityInfo() returns permissions objects. Also, Get-GPPermission will get the same objects. You can write the permissions with $_.SetSecurityInfo() and with Set-GPPermissions. But how do you simply remove a permissions object, e.g. where the $_.trustee.sidtype is Unknown? You cannot use Set-GPPermission, because it requires a TargetType. 'Unknown' is not a valid TargetType. The SetSecurityInfo() method has no documentation that I can find. So, the question is, given the existing permissions of a GPO, how do you remove the permission object where the $_.SidType is Unknown?

The method to remove a permission with unknown SID is undocumented.

Original Q&A

There are 1 best solutions below

Mathias R. Jessen On 24 October 2023 at 12:18 BEST ANSWER

GetSecurityInfo() returns a GPPermissionCollection object.

Remove the appropriate entries from the collection:

# fetch current permission entries
$perms = $gpo.GetSecurityInfo()

# identify trustees to be removed
$trusteesToRemove = $perms.Trustee |Where { $_.SidType -eq 'Unknown' }

# remove them from perm collection
$trusteesToRemove |ForEach-Object {
  $perms.RemoveTrustee($_.Sid)
}

Once modified, pass the collection object back to SetSecurityInfo():

$gpo.SetSecurityInfo($perms)

Remove Group Policy Permissions

There are 1 best solutions below

Related Questions in POWERSHELL

Related Questions in ACTIVE-DIRECTORY

Related Questions in GROUP-POLICY

Trending Questions

Popular # Hahtags

Popular Questions