locked
Set-GPPermissions always prompting RRS feed

  • Question

  • Does anyone know how to bypass the Set-GPPermissions prompt? I have an automated script that removes 'Authenticated Users' from the security filtering and I couldn´t find a way to bypass it. Even if I put -Confirm:$false it still prompts... There is no -force option in this command..

    Get-gpo $policy_name -Domain $domain | Set-GPPermissions -Replace -PermissionLevel None -TargetName 'Authenticated Users' -TargetType group
    

    I know after kb3163622 all computers must have read access to user GPOs, and I will be using another security group to this GPO above, so just wanted to avoid that prompt confirmation.

    thanks

    Wednesday, June 7, 2017 1:03 PM

All replies

  • I have the same issue. I have already asked it on stackoverflow https://stackoverflow.com/questions/44390401/how-to-execute-set-gppermissions-command-without-confirmation-prompt. But I didn't get answer.

    Any ideas?

    Wednesday, June 7, 2017 1:15 PM
  • -Confirm <SwitchParameter>

    Prompts you for confirmation before executing the command.

    So add to your script -Confirm:$false

    Ooops....I didn't see in your original description that you have tried the above.


    If you find that my post has answered your question, please mark it as the answer. If you find my post to be helpful in anyway, please click vote as helpful. (99,108,97,121,109,97,110,50,64,110,121,99,97,112,46,114,114,46,99,111,109|%{[char]$_})-join''


    • Edited by clayman2 Wednesday, June 7, 2017 2:26 PM typo
    Wednesday, June 7, 2017 2:23 PM
  • Hi,

    >>Does anyone know how to bypass the Set-GPPermissions prompt?

    No any prompts on my PS4.0

    Permission issue? run  with admin?

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 8, 2017 8:41 AM
  • I can't remove "Authenticated users" from Group Policy Management and from powershell

    Thursday, June 8, 2017 9:16 AM
  • I get the same result as Трембович

    PSversion is 4.0 as well.

    Thanks

    Thursday, June 8, 2017 9:22 AM
  • Hi all,

    I have built a new server for testing purpose, fresh installed, no such issue.

    So, i can't reproduce your issues, please try to upgrade the PS version to see if it helps.

    Besides, i suggest you could post a feedback on link below:

    https://windowsserver.uservoice.com/forums/301869-powershell

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 8, 2017 9:46 AM
  • Andy, I see you are removing 'Domain Users' group. Can you please test it with 'Authenticated Users'? Thanks
    Thursday, June 8, 2017 10:20 AM
  • I have voted and subscription this issue.

    Hope we will find a better solution.

    Have a nice day, all !

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 8, 2017 10:21 AM
  • same results, my friend!

    I have noticed this:

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 8, 2017 10:25 AM
  • Thank you Andy!
    Thursday, June 8, 2017 10:27 AM
  • Strange
    Thursday, June 8, 2017 10:28 AM
  • You're welcome.

    So, i suppose we need to wait for the MS team or other communities to focus on this issue.

    Besides, i'm still suggest you could try upgrade the PS version to the newer see if it helps.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Hello_2018 Thursday, June 8, 2017 10:32 AM
    Thursday, June 8, 2017 10:31 AM
  • Hi all,

    it seems that i have found something about this:

    "If the “Authenticated Users” permissions were removed intentionally (security filtering, etc), then as a result of the by-design change in this security update (i.e. to now use the computer’s security context to retrieve user policies), you will need to add the computer account retrieving the group policy object (GPO) to “Read” Group Policy (and not “Apply group policy“)."

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    You need to add "Domain computers" or "authenticated users" with read permissions at least one.

    could this be the answer?

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    • Edited by Hello_2018 Thursday, June 8, 2017 10:39 AM
    Thursday, June 8, 2017 10:39 AM
  • No.

    We need to remove "Authenticated Users" from GPO.

    Thursday, June 8, 2017 10:42 AM
  • I don´t think so. Here it says you would need to have domain computers as "Read" to allow users to apply the GPO. I have added domain computers to a GPO, and tried to remove Authenticated Users again, and still get the same result... But thanks anyway!
    Thursday, June 8, 2017 10:43 AM
  • ok, let's keep working!

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 8, 2017 10:45 AM
  • I get the same result as tiago_me
    Thursday, June 8, 2017 10:46 AM
  • Guys, Does any update installed on your machines?

    From here https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos/

    Thursday, June 8, 2017 12:34 PM
  • I have been struggling with the same issue for a while now. 
    We don't want all 'Authenticated Users' running GPOs that are filtered to specific Security groups.

    The best work around for now would seem to be to set the permissions to 'GPOread' which at least allows the scripts to carry on running.
     
    OK so 'Authenticated Users' they can still read the GPO's if they want to but at least it doesn't getting applied.

    Hope Microsoft fix this issues soon.

    Tuesday, August 15, 2017 9:36 AM
  • You can do it using ADSI :

    $GPO = Get-Gpo -Name 'My Gpo' $ADSI = [ADSI] "LDAP://$($Gpo.Path)" $ADSI.psbase.ObjectSecurity.Access | ForEach-Object {
    if ($_.IdentityReference –eq 'NT AUTHORITY\Authenticated Users') {
    $ADSI.psbase.ObjectSecurity.RemoveAccessRule($_)
    }
    } $ADSI.psbase.CommitChanges()

    But I think Microsoft has made a mistake by preventing the normal execution of scripts managing the GPO security filtering.

    • Proposed as answer by Decembry Q Friday, March 2, 2018 7:34 AM
    Wednesday, February 28, 2018 8:20 PM