none
Set-GPPermissions error

    Question

  • When using this command in powershell

    Set-GPPermissions -All -TargetName "X Y Z" -TargetType Group -PermissionLevel GpoEdit

    I get error

    Set-GPPermissions : The trust relationship between the primary domain and the t
    rusted domain failed.
    At line:1 char:18
    + Set-GPPermissions <<<<  -All -TargetName "X Y Z" -Target
    Type Group -PermissionLevel GpoEdit
        + CategoryInfo          : NotSpecified: (:) [Set-GPPermissions], SystemExc
       eption
        + FullyQualifiedErrorId : System.SystemException,Microsoft.GroupPolicy.Com
       mands.SetGPPermissionsCommand

    If I change the -All flag to either -name XXX or -guid XXX I still get the same error. Adding the flag -Domain ABC doesn't help either (specifying the domain where the GPOs sits)

    Any help would be appreciated

    Wednesday, June 10, 2015 1:13 PM

All replies

  • > Set-GPPermissions -All -TargetName "X Y Z" -TargetType Group
    > -PermissionLevel GpoEdit
     
    Does "get-ADGroup XYZ" work?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, June 10, 2015 1:47 PM
  • Yes, the Get command works no problem and returns the GPO.

    I'm running this on a DC in the domain where the GPOs sit as well.

    Thursday, June 11, 2015 7:50 AM
  • > Yes, the Get command works no problem and returns the GPO.
     
    "Returns the GPO"??? My question was about Get-ADGroup, which should
    return a group and not a GPO.
     
    > I'm running this on a DC in the domain where the GPOs sit as well.
     
    To confirm: You are on a DC and want to change a GPO in that domain.
    Your user is a member of this domain? The group is a member of this
    domain? Or what's your infra looking like?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, June 11, 2015 9:24 AM
  • Sorry, misread your response.
    Yes, Get-ADGroup returns the group.

    Also yes, everything (DC, GPO, User account, Group)is in the same domain.

    If I try to set delegation in the Group Policy Management Console directly on the same DC it works fine and I can add the group to the GPO permissions. I have lots to do though hence want to get SET-GPPermissions to work to I can use the -All Flag. 

    Friday, June 12, 2015 7:44 AM
  • > If I try to set delegation in the Group Policy Management Console
    > directly on the same DC it works fine and I can add the group to the GPO
    > permissions. I have lots to do though hence want to get
    > SET-GPPermissions to work to I can use the -All Flag.
     
    Sounds reasonable :)
     
    What ACL entries do you have currently in your GPOs? Might be there's an
    orphaned entry that confuses the Cmdlet?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, June 12, 2015 11:29 AM
  • If I change the Set command to use the flag -Name and specify a single GPO, I still get the error. That particular single GPO only has Windows Builtin groups applied to it i.e. Domain Admins, Enterprise Admins, Authenticated users.  

    I've also tried using the -Server flag and the -Domain flag

    Friday, June 12, 2015 12:10 PM