locked
Modifying who can add/remove GPO links on an OU, using powershell RRS feed

  • Question

  • Hello there,

    I'm trying to figure out a way to allow a security group to be able to add/remove GPO links on a OU, using powershell. It's easy using the delegation tab in gpedit.

    I can see the properties "read gPOtions" and "Write gPOtions" is being set on an object (user or group), when modified through gpedit. But I don't know how to set those properties using powershell..

    I've searched, and the only thing I can find is how to modify permissions with powershell, on the GPO it self,. but that's not what I am interested in.

    Any help is appreciated 


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Thursday, July 23, 2020 6:30 AM

All replies

  • Thanks for the quick response!

    That I figured, but I can't find any information for how to set 'properties'.

    I am using set-acl to delegate who can create users, computers, groups, contacts etc, but I'm lost when it comes to this


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Thursday, July 23, 2020 7:14 AM
  • What properties.  Just read the help for the commands and follow the instructions.

    You will have to learn the AD security Net classes and how to create an ACE as needed.


    \_(ツ)_/

    Thursday, July 23, 2020 7:22 AM

  • Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Thursday, July 23, 2020 7:36 AM
  • If I've found a clue on the internet I wouldn't ask here..

    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Thursday, July 23, 2020 7:37 AM
  • You have to start by learning AD security from the Net API level.  You need to research this which can take some time as what you are asking is never done.  There is no reason to do what you are trying to do which would be clear once you learn AD beyond the GUI wizards.

    Why do many people need to be capable of adding GPOs?  This is pretty much contrary to the design and model of AD.  GPOs are established by the company business plan and model as well as the corporate security model.  GPOs are not just switches that untrained users should be able to play with.

    I do not have the time to do this research for you.  Maybe you will get lucky and someone may have coded this in the past.  If not you will just have to do the research util you find how to alter this in AD.

    Reading the help and learning basic PowerShell would be good places to start.

    You can find most of this including AD security basics in the following free book:


    \_(ツ)_/


    • Edited by jrv Thursday, July 23, 2020 7:51 AM
    Thursday, July 23, 2020 7:51 AM
  • You can add GP Permissions on a container using Set-GPPermission.  It will only allow GpoApply. GpoEdit and GpoRead.  I am pretty sure this changes more than just those two items.


    \_(ツ)_/

    Thursday, July 23, 2020 7:58 AM
  • I am learning how to use PowerShell to manage permissions using. I get bits and pieces and slowly I'm figuring out how to do things.

    But for this, I don't know where to look. I've spend days to find clues and directions. I found a lot of other useful stuff I'm using in my scripts, just not for this particular challenge.

    I work in an environment where delegation is provided to units that will work inside a designated OU. GPO management is part of that task, but domain and enterprise admins are the only default groups that can manage link. We don't have that kind of permission. Delegation takes 3 clicks using gpmc.msc, but I would like automate the creation of and OU, subOU and the delegation model we're using.


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Thursday, July 23, 2020 8:10 AM
  • Why not just get the ACE that sets the link permissions on the property and use it to create a new ACE to apply when needed.

    Until you are experienced with PS and with Windows security this will be a difficult challenge.


    \_(ツ)_/

    Thursday, July 23, 2020 8:17 AM
  • Found a working solution, and modified it a bit. It seems to work, but I cannot figure why the group isn't showing in the delegation tab of gpmc.msc

    Import-Module ActiveDirectory
    
    $ugroup = "YOUR GROUP"
    
    #####
    
    $rootdse = Get-ADRootDSE
    $domain = Get-ADDomain
    $guidmap = @{}
    
    Get-ADObject -SearchBase ($rootdse.SchemaNamingContext) -LDAPFilter `
    "(schemaidguid=*)" -Properties lDAPDisplayName,schemaIDGUID |
    % {$guidmap[$_.lDAPDisplayName]=[System.GUID]$_.schemaIDGUID}
    $extendedrightsmap = @{}
    Get-ADObject -SearchBase ($rootdse.ConfigurationNamingContext) -LDAPFilter `
    "(&(objectclass=controlAccessRight)(rightsguid=*))"  -Properties displayName,rightsGuid |
    % {$extendedrightsmap[$_.displayName]=[System.GUID]$_.rightsGuid}
    
    ######
    
    $container = "YOUR OU"
    cd ad:
    $group = Get-ADGroup $ugroup
    $sid = new-object System.Security.Principal.SecurityIdentifier $group.SID
    $ous =  Get-ADOrganizationalUnit -Identity $container
    
    $setacl = Get-acl -path $ous
    write-host $setacl
    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid,"ReadProperty, WriteProperty","Allow",$guidmap["gplink"],"Descendents"
    
    $setacl.AddAccessRule($ace)
    
    set-acl -aclobject $setacl $container



    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Thursday, July 23, 2020 12:35 PM
  • I think you will find that the wizard alters more properties and options than just setting the ACE.  This would make your method untraceable and undetectable in the delegation wizard report/display.

    You might try the AD developers forum to see if any developers on AD have to he complete explanation and method.

    Also be sure you have refreshed the view in ADUC or ADMC.

    It is interesting that you found what you insisted couldn't be found.  Sometimes searching takes cunning.


    \_(ツ)_/

    Thursday, July 23, 2020 3:43 PM
  • An object were added twice, when using the wizard. Read-Write on the 'gpOptions' property is also required. Now the group is visible in the delegation tab.

     

    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $SIDGPO,"ReadProperty, WriteProperty","Allow",$guidmap["gplink"],"Descendents"

    $ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $SIDGPO,"ReadProperty, WriteProperty","Allow",$guidmap["gpOptions"],"Descendents"

    I haven't found the solution. I worked it out by collecting bits and pieces and then by try and error. What pushed me in the right direction where the get-acl as you mentioned. I did came across it before, but I didn't think it gave me anything useful or I didn't define the command properly. Having a second look, with 'Select-Object -ExpandProperty Access', I were able to read the information in a way it makes sense.


    Best Regards,

    Jesper Vindum, Denmark

    Systems Administrator

    Help the forum: Monitor(alert) your threads and vote helpful replies or mark them as answer, if it helps solving your problem.

    Saturday, July 25, 2020 10:10 AM