none
Edit Owner on a GPO using Powershell RRS feed

  • Question

  • Hi Team, do you know if there is a way to edit/modify the owner of a GPO using powershell?   We have a plethora of GPO's that are presently set to an owner that has long left the company and has had their account deleted (so presently set to unknown SID).  My goal is to replace all of the GPO's owner data with our domain admin security group.  Thanks for the help!!

    Scott W.

      
    Friday, May 15, 2015 7:15 PM

Answers

All replies

  • Hi Scott,

    First lets find the GPO to be modified.

    Get-GPO TestGPO
     
    DisplayName      : TestGPO
     
    DomainName       : contoso.local
     
    Owner            : CONTOSO\User1
     
    Id               : 590f3e84-f967-45c6-bff2-03f7dc3f4f86
     
    GpoStatus        : AllSettingsDisabled
    

    NOTE the Id guid value.

    I have searched and found there are no specific cmdlets related to GPO that would allow you modify the OWNER, we do have Get-GPPermissions, not much of use in our case.

    Hence the next option would be relying on ActiveDirectory Objects, as GPO is nothing but yet another ADobject.

    Now using the GUID from earlier cmdlet we will get hold of the GPO Object on AD:

    Get-ADObject -Filter {Name -like "*590f3e84-f967-45c6-bff2-03f7dc3f4f86*"} | fl
     
    DistinguishedName : CN={590F3E84-F967-45C6-BFF2-03F7DC3F4F86},CN=Policies,CN=System,DC=CONTOSO,DC=local
     
    Name              : {590F3E84-F967-45C6-BFF2-03F7DC3F4F86}
     
    ObjectClass       : groupPolicyContainer
     
    ObjectGUID        : 56ee8095-8e66-4f92-845d-0e086fcc1ec2
    

    Looking at the DN we can identify the AD Path of the GPO object.

    We should know how to change 'Owner' using GUI:

    *If we now open DSA.MSC and browse to that location contoso.local\System\Policies\

    • Here all the GPOs will be listed.
    • If we go to the GUID and Rt. Click ->Properties ->Security Tab->Advanced Button
    • We get the 'Advanced Security Settings for GUID', and Owner: CONTOSO\User1 can be changed here.

    *If we now start from GPMC.msc

    • Run gpmc.msc, select your group policy, go to Delegationand then click on Advanced
    • Click on Advanced and then select Owner
    • Add your user/group and then click on Apply

    If you have noticed this brings up the exact same 'Advanced Security Settings for GUID' screen in both cases, basically indicating this has someting to do with DACL for Active Directory.

    Now as we know what and where to change lets do it using PowerShell:

    Open a PowerShell window with Run As Admin.

    #Get the GUID using 
    
    Get-GPO "TestGPO"
    
    #Store the GPO AD Object in a variable
    
    $Gpo1 = get-adobject -Filter {Name -like "*590f3e84-f967-45c6-bff2-03f7dc3f4f86*"}
    
    #Store the new Owner in a  variable as well (Note changes for group and user accounts)
    
    $Ownr = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Domain Admins").SID
    #$Ownr = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser "USer1").SID
    
    #$Ownr = New-Object System.Security.Principal.SecurityIdentifier (Get-ADObject "GroUpser1").SID
    
    #Copy the DACL for the GPO object to be modified in a variable
    
    $Acl = Get-ACL -Path "ad:$($Gpo1.DistinguishedName)"
    
    #Validate the currect owner (- can be skipped in when in a script)
    
    $Acl.GetOwner([System.Security.Principal.NTAccount])
    
    #Edit Owner on a GPO using Powershell to new Owner 
    $Acl.SetOwner($Ownr)
    
    #Note changes are not yet commited, we have made changes only to the variable data not the actual object
    
    $Acl.Owner
    
    #Commit the changes on the variable to the -Path actual object
    Set-ACL -Path "ad:$($Gpo1.DistinguishedName)" -ACLObject $Acl
    
    
    #Get actual data, not from the old variable to confirm change has been made:
    (Get-ACL -Path "ad:$($Gpo1.DistinguishedName)").Owner

    Test Run results:

    Windows PowerShell
    Copyright (C) 2013 Microsoft Corporation. All rights reserved.
    
    PS C:\Windows\system32> $Gpo1 = get-adobject -Filter {Name -like "*590f3e84-f967-45c6-bff2-03f7dc3f4f86*"}
    PS C:\Windows\system32> $Ownr = New-Object System.Security.Principal.SecurityIdentifier (Get-ADGroup "Domain Admins").SID
    PS C:\Windows\system32> #$Ownr = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser "USer1").SID
    PS C:\Windows\system32> $Acl = Get-ACL -Path "ad:$($Gpo1.DistinguishedName)"
    PS C:\Windows\system32> $Acl.GetOwner([System.Security.Principal.NTAccount])
    
    Value
    -----
    CONTOSO\User1
    
    
    PS C:\Windows\system32> #Translate is required to accept groups properly
    PS C:\Windows\system32> $Acl.SetOwner($Ownr)
    PS C:\Windows\system32> #Ready to be commited
    PS C:\Windows\system32> $Acl.Owner
    CONTOSO\Domain Admins
    PS C:\Windows\system32> #Commit the changes on the variable to the -Path actual object
    PS C:\Windows\system32> Set-ACL -Path "ad:$($Gpo1.DistinguishedName)" -ACLObject $Acl
    PS C:\Windows\system32> #Get actual data, not from the old variable:
    PS C:\Windows\system32> Get-ACL -Path "ad:$($Gpo1.DistinguishedName)"
    
    Path                                    Owner                                   Access
    ----                                    -----                                   ------
    Microsoft.ActiveDirectory.Management... CONTOSO\Domain Admins                       CREATOR OWNER Allow  ...
    

    At this point it should not be difficult for you to put this in a loop or something to iterate through your remaining GPOs.

    Note each GPO would have different DACLs hence you need to copy the existing DACLs and then updating the object. Hence which modifying the script for multiple GPOs, make sure you keep the ACLs separated.

    Helpful Cmdlet that helped me Identify the required Methods:

    Get-ACL | Get-Member
    
       TypeName: System.Security.AccessControl.DirectorySecurity
    
    Name                            MemberType     Definition
    ----                            ----------     ----------
    Access                          CodeProperty   System.Security.AccessControl.AuthorizationRuleCollection Access{get=...
    CentralAccessPolicyId           CodeProperty   System.Security.Principal.SecurityIdentifier CentralAccessPolicyId{ge...
    CentralAccessPolicyName         CodeProperty   System.String CentralAccessPolicyName{get=GetCentralAccessPolicyName;}
    Group                           CodeProperty   System.String Group{get=GetGroup;}
    Owner                           CodeProperty   System.String Owner{get=GetOwner;}
    Path                            CodeProperty   System.String Path{get=GetPath;}
    Sddl                            CodeProperty   System.String Sddl{get=GetSddl;}
    AccessRuleFactory               Method         System.Security.AccessControl.AccessRule AccessRuleFactory(System.Sec...
    AddAccessRule                   Method         void AddAccessRule(System.Security.AccessControl.FileSystemAccessRule...
    AddAuditRule                    Method         void AddAuditRule(System.Security.AccessControl.FileSystemAuditRule r...
    AuditRuleFactory                Method         System.Security.AccessControl.AuditRule AuditRuleFactory(System.Secur...
    Equals                          Method         bool Equals(System.Object obj)
    GetAccessRules                  Method         System.Security.AccessControl.AuthorizationRuleCollection GetAccessRu...
    GetAuditRules                   Method         System.Security.AccessControl.AuthorizationRuleCollection GetAuditRul...
    GetGroup                        Method         System.Security.Principal.IdentityReference GetGroup(type targetType)
    GetHashCode                     Method         int GetHashCode()
    GetOwner                        Method         System.Security.Principal.IdentityReference GetOwner(type targetType)

    References:

    Using Get-ACL to view and modify Access Control Lists

    Hey, Scripting Guy! How Can I Use Windows PowerShell to Determine the Owner of a File?

    Active Directory Delegation via PowerShell

    PowerShell Setting advanced NTFS permissions


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Monday, May 18, 2015 12:09 PM Added references
    Monday, May 18, 2015 12:01 PM
  • Hi Scott,

    Here goes the script:

    Script to Edit Owner on all GPO using Powershell AD

    https://gallery.technet.microsoft.com/Script-to-Edit-Owner-on-bbba3562


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, May 20, 2015 5:53 AM