none
managing GPO Restricted Groups with Powershell

    Question

  • Hello, 


    I need to control local group membership on the member servers and clients, and because I have around 1800 GPOs to do so, i'm wondering if there is any solution that can be used to automate such thing, as of now Microsoft PowerShell officially does not have any available cmdlet that can be used to add groups to the GPO restricted group

    https://powershell.org/forums/topic/how-can-i-add-user-to-gpo-restricted-groups/



    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

    Saturday, October 01, 2016 10:35 AM

Answers

  • Hi,
     
    Am 01.10.2016 um 12:35 schrieb Taheito:
    > [...] i'm wondering if there is any solution that can be used to
    > automate such thing,
     
    Sure you can. You can write the gpttmpl.inf file with powershell to
    manage your 1800 GPOs.
    You can write the XML of GPP users and groups with powershell aswell.
     
    But I would recommend to change the technic. You can reduce your 1800
    GPOs to a single one.
     Easiest approach:
    - create one security group for each computer
    - name it e.g. hostname-admins, or hostname-remote whatever is your goal
    - integrate the specific domain user(s) into this groups that should be
    admin or whatever on that machine.
    - use GPP Users and groups and use the variable of the computername to
    add it to the local group. e.g. "%computername%-admins"
    - %computername% will be resolved by each system. If it exists, the
    group will be integrated, if the group does not exist, nothing happens.
     
    Your benefit:
    - security groups can by easily handled with powershell
    - only one GP rule to fit all systems
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by Taheito Wednesday, October 05, 2016 1:24 PM
    Tuesday, October 04, 2016 7:11 AM

All replies

  • Hi,
     
    Am 01.10.2016 um 12:35 schrieb Taheito:
    > [...] i'm wondering if there is any solution that can be used to
    > automate such thing,
     
    Sure you can. You can write the gpttmpl.inf file with powershell to
    manage your 1800 GPOs.
    You can write the XML of GPP users and groups with powershell aswell.
     
    But I would recommend to change the technic. You can reduce your 1800
    GPOs to a single one.
     Easiest approach:
    - create one security group for each computer
    - name it e.g. hostname-admins, or hostname-remote whatever is your goal
    - integrate the specific domain user(s) into this groups that should be
    admin or whatever on that machine.
    - use GPP Users and groups and use the variable of the computername to
    add it to the local group. e.g. "%computername%-admins"
    - %computername% will be resolved by each system. If it exists, the
    group will be integrated, if the group does not exist, nothing happens.
     
    Your benefit:
    - security groups can by easily handled with powershell
    - only one GP rule to fit all systems
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by Taheito Wednesday, October 05, 2016 1:24 PM
    Tuesday, October 04, 2016 7:11 AM
  • Hi,

    To achieve your goal, please refer to the similat thread below.

    Using Powershell to add local administrators USING local administrator credentials

    https://social.technet.microsoft.com/Forums/scriptcenter/en-US/85bce206-058e-4664-a59c-1fc18833e416/using-powershell-to-add-local-administrators-using-local-administrator-credentials?forum=ITCG

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, October 04, 2016 9:27 AM
    Moderator