Powershell Script - GPO Security FIlter Computer


  • Setting GPO security filter with powershell (add delete computers)

    I've been looking for a powershell script that can add a .csv file of servers to my previous configured GPO.

    The case is that we constantly add new machines and because security groups of computers don't cut the chase (the policies don't get applied) I wanted a powershell to add a list of machines to my current GPO.

    The trick is that it should delete first the current security filtering and then add the machines listed in the csv file.

    Any help will be welcome.

    Tuesday, November 12, 2013 2:14 PM


All replies

  • Please search in Script Center if not available please request through Browse Script Request

    Regards Chen V [MCTS SharePoint 2010]

    Tuesday, November 12, 2013 5:23 PM
  • Hi Hugo MMonteiro,

    Thanks for your posting.

    In my expression, you want to delete computers in current GPO security filter and add the new computers to it.

    If there is no misunderstanding, the cmdlet Set-GPPermissions should be helpful for you:

    Write-Host "Remove Authenticated Users from GPO Security Filtering" -ForegroundColor Cyan 
    Set-GPPermissions -Name $gpoName -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group -Server $dcServer  
    Write-Host "Add AD-Group to Security Filtering on GPO" -ForegroundColor Cyan 
    Set-GPPermissions -Name $gpoName -PermissionLevel GpoApply -TargetName "$($adGroupName)" -TargetType Group -Server $dcServer 

    For more detailed information about the script, please refer to this article:

    Create GPOs with Powershell:

    In addition, you can also refer to this script to complete the task:

    Create GPO and set Security Filtering:

    I hope this helps.

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Wednesday, November 13, 2013 5:59 AM
  • Thks, going to check it out and try it. Going to post it if successful

    Thursday, November 14, 2013 4:16 PM
  • I found myself in the same spot, so based on the previous answer, I cooked the following:
    ### This script adds a computer-account from the domain to the 'Security Filtering' of the GPO.
    # These 2 lines remove the default filter of 'Authenticated Users'. In my case this was already done manually, so these were commented out.
    #Write-Host "Remove Authenticated Users from GPO Security Filtering" -ForegroundColor Cyan 
    #Set-GPPermissions -Name $gpoName -PermissionLevel None -TargetName "Authenticated Users" -TargetType Group -Server $dcServer  
    $gponame = "Some Important Group Policy"
    $Domain = ""
    $ComputerList = Get-Content "C:\Temp\Computers.txt"
    # Note: Computers.txt contains only 1 computername on each line.
    Write-Host "Add Computers to Security Filtering on GPO" -ForegroundColor Cyan 
    foreach ($Computer in $ComputerList)
        Write-Host "Add" $Computer -ForegroundColor Cyan 
        Set-GPPermissions -Name $gpoName -PermissionLevel GpoApply -TargetName $Computer -TargetType Computer -Domain $Domain
    Maybe this can help someone.

    Wednesday, March 23, 2016 1:52 PM