Add-GphGpoDefaultPermissions.ps1
|
#Requires -RunAsAdministrator function Add-GphGpoDefaultPermissions { <# .SYNOPSIS Adds Additional Permissions to the GPO-Schema Template .DESCRIPTION If a new GPO is created, default Permissions are read from the AD-Schema. This function extends the schema with Read-Permissions for Authenticated Computers or custom SDDL-Strings can be added using the parameter -SDDLStringToAdd. The SDDL-Strings are explained in the notes for this function. .EXAMPLE Add-GPODefaultPermissions Adds the Group "Domain Computers" with Read-Permissions to the Group Policy Container Default Permissions .EXAMPLE Add-GPODefaultPermissions -SDDLString "(A;CI;LCRPLORC;;;DU)" Adds the Group "Domain Computers" with Read-Permissions to the Group Policy Container Default Permissions .NOTES Meaning of SDDL-Flags: Access type: A = Access Allowed ACE flag: CI = Container Inherit Permissions: LC = List Contents RP = Read All Properties LO = List Object RC = Read Permissions Access subject: DC = Domain Computers More Infos: https://msdn.microsoft.com/de-de/library/windows/desktop/aa379602(v=vs.85).aspx http://woshub.com/how-to-change-default-permissions-for-new-gpos/ Author: Holger Voges Date: 2018-11-16 Version: 1.0 #> [CmdletBinding()] param ( # The Permission to add to the GPO Container Object. Default is Authenticated Computers [String] $SDDLStringToAdd = '(A;CI;LCRPLORC;;;DC)' ) $ADschemaDn = ( Get-ADRootDSE ).schemaNamingContext $GPCClass = Get-ADObject -Filter { name -eq 'Group-Policy-Container' } -SearchBase $ADschemaDn -Properties DefaultSecurityDescriptor $NewGPCClassDescriptor = $GPCClass.DefaultSecurityDescriptor + $SDDLStringToAdd if ( -not $GPCClass.DefaultSecurityDescriptor.Contains( $SDDLStringToAdd )) { Set-ADObject -Identity $GPCClass -Partition $ADschemaDn -Replace @{ DefaultSecurityDescriptor = $NewGPCClassDescriptor } } Update-SchemaCache } |