none
Security Filtering RRS feed

  • Question

  • I am trying to get only the permissions listed under Security Filtering for the group policy objects. Since I have many GPOs I want to perform this through a script. However when I export the GPOs as XML, I don't see any element for security filtering specifically. I can see the TrusteePermissions, however there is nothing which differentiates between the Security Filtering permissions and the permissions under the delegation tab. Is there anyway to get the Security Filtering permissions only for the GPOs using powershell.

    Currently I am trying to query $xml3.GPO.SecurityDescriptor.Permissions.TrusteePermissions.Trustee.Name

    However it is listing the permissions in the delegation as well as security filtering tab, I just want the permissions under Security Filtering.

     
    • Moved by jrv Friday, June 14, 2019 12:02 AM Better forum
    Thursday, June 13, 2019 2:58 PM

All replies

  • I tried this command also, however I cannot find anything which differentiates between the security filtering permissions and permissions under the delegation tab. Am I missing something? 
    Thursday, June 13, 2019 11:56 PM
  • I am going to move this to the GP forum so they can help you understand how permissions and delegation work in GP.

    Understanding permissions and permission reporting is a complex thing with any element of Windows. 

    The permissions returned provide all aspects of the permissions including delegation.  You need to pay attention to inheritance and to how Windows permissions work.


    \_(ツ)_/

    Friday, June 14, 2019 12:01 AM
  • Check if this helps

    https://pastebin.com/VhTHcETD

    Friday, June 14, 2019 5:33 AM
  • Hi,

    Thank you for posting here.

    1. Once you add certain object to security filter, it will automatically listed under delegation and will get only read permission. And if you remove it from security filter or delegation, it will also be removed from another side.

    2. If you delegate permission under delegation, it will not be listed under security filter. You will have 3 options of permission to grant:

    3. Based on 1, there is no need to check objects' permissions under security filter since they all have only read permission. If you want to check, you can specify object under security filter with get-gppermission command.

    Please help correct me if anything is misunderstood.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 14, 2019 7:29 AM
    Moderator
  • I think only groups which we add under security filtering will only have the "Apply Group Policy" Permission whereas the rest of the groups under the delegation tab would have other permissions so based on this we get the group added under security filtering. Is this understanding correct?
    Friday, June 14, 2019 12:32 PM
  • Hi,

    Thank you for your reply.

    When you add certain group under security filter, it will automatically have read permission only (and will be automatically added under delegation. So this permission can be changed manually under delegation). 

    When you add certain group under delegation, its permission depends on which permissions you choose to give it.

    That's to say, if you haven't change its permission under delegation after you add a group under security filter, it will only have read permission.

    Hope that my clarification is clear.

    Best Regards,

    Lavilian



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 18, 2019 9:46 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided above was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 20, 2019 4:35 AM
    Moderator
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 24, 2019 2:40 AM
    Moderator