Scripting and Automating Custom Group Policy Delegation


There are times when the Group Policy Management Console (GPMC) does not provide enough flexibility to get a large task done. In the case of establishing, modifying, or removing delegations to a large number of Group Policy Objects (GPOs), the GPMC can be a bit cumbersome. There is an alternative that is easy and free. The solution is to use the Microsoft GPMC scripts. These scripts have been around for quite some time and have been updated to support Windows Vista and Windows Server 2008. With these scripts, you can alter permissions on one or all GPOs with ease.


Delegations for GPOs


Before you can start scripting and automating the delegation for GPOs, it is important to know what options you have. All of the delegations that are listed below can be set using the GPMC, but that approach can be time consuming. For GPO management, you have the following options:


Creating GPOs


This is a task that is delegated for the entire domain, but is configured at the Group Policy Objects node within the GPMC, as shown in Figure 1.



Figure 1:
The creation of GPOs is a domain centric delegation


Linking GPOs


The ability to link a GPO to a node in Active Directory is a powerful capability. Once the GPO is linked, the objects under the node (domain, site, or organizational unit) will automatically start to receive the policy settings in the linked GPOs. Figure 2 illustrates the delegation options for linking GPOs to a node.



Figure 2:
Linking GPOs is delegated at the Site, domain, or organizational unit level


Edit and FullEdit of GPOs


The ability to edit a GPO has a tremendous amount of power, especially if that GPO is already linked to a node in Active Directory. Therefore, controlling who can edit GPOs is key. There are two levels of editing, one which also comes with deleting and modifying the security for the GPO. These delegations are done at the GPO level, as shown in Figure 3.



Figure 3:
Editing and managing (FullEdit) GPOs is delegated on a GPO by GPO basis


Using GPMC Scripts to Automate GPO Security Delegation


The GPMC scripts allow you to make the same modifications to GPO security that the GPMC GUI does, it is just you can accomplish larger tasks faster. For example, assume you have just installed the Advanced Group Policy Management (AGPM) from Microsoft. Before you can use AGPM, you must alter the permissions on all of the GPOs within the GPMC to ensure that administrators don’t have the ability to edit them through the GPMC. If this is not done, the GPO that is in production (shown in GPMC) can easily get out of synch with the GPO that you import into the AGPM environment. To remove and reset the permissions for a lot of GPOs to accomplish this is a tedious task. However, with the GrantPermissionOnAllGPOs.wsf script, the task is done quickly! The other GPMC scripts do similar functions, as described below.


Note
For more information on AGPM, refer to Windows Vista for the Enterprise.


Note
To download the GPMC scripts, go to Group Policy Management Console Sample Scripts.


GrantPermissionOnAllGPOs.wsf


This script will grant the specified permission to a user or group for all GPOs in the domain. This will occur to the GPO even if it is not linked to an Active Directory node. The replace switch is very useful, as it can remove the existing permissions and replace with new permissions. If a permission is specified for a security group that already exists on the permission list for the GPO, the higher of the two permissions will be placed on the security group (Unless the replace switch is used).


Syntax


Usage: GrantPermissionOnAllGPOs.wsf GroupName /Permission:value [/Replace] [/Q] [/Domain:value]
GroupName: The security principal to grant permissions to
Permission: The permission level to set. Can be ‘Read’, ‘Apply’, ‘Edit’, ‘FullEdit’ or ‘None’
Replace: Specifies that any existing permissions should be replaced
Q: Quiet mode – do not display a warning before executing the script
Domain: DNS name of domain


Example


cscript GrantPermissionOnAllGPOs.wsf “GPO Admins” /Permission:Edit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.


Warning! By executing this script, all GPOs in the target domain will be updated with the desired security setting.


Both the Active Directory and Sysvol portions of the GPO will be updated. This will result in the Sysvol contents of every GPO being copied to all replica domain controllers, and may cause excessive replication traffic in your domain.


If you have slow network links or restricted bandwidth between your domain controllers, you should check the amount of data on the Sysvol that would be replicated before performing this task.


Do you want to proceed? [Y/N] y
Updated GPO ‘Default Domain Policy’ to ‘Edit’ for GPO Admins
Updated GPO ‘Default Domain Controllers Policy’ to ‘Edit’ for GPO Admins


SetGPOCreationPermissions.wsf


This script grants or removes the ability to create GPOs in a domain for a given security group or user.


Syntax


Usage: SetGPOCreationPermissions.wsf Group [/Remove] [/Domain:value]
Group: The security group to grant GPO creation rights to
Remove: Removes the permission instead of granting it
Domain: DNS name of domain


Example & Output


cscript SetGPOCreationPermissions.wsf “GPO Admins”
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.


Added ‘GPO Admins’ as having GPO creation rights in Fabrikam.com.


SetGPOPermissions.wsf


This script will set permissions on the defined GPO for the defined group. All of the other scripts will give the script’s syntax or generate the output. This script will error out if you do not define the arguments for it.


Syntax


Usage:  SetGPOPermissions.wsf:<GPOName><GroupName> /Permission:<PermissionLevel> [/Replace] [/Domain:<DNSDomainName>]
Permission: The permission level to set. Can be ‘Read’, ‘Apply’, ‘Edit’, ‘FullEdit’ or ‘None’
Replace: Specifies that any existing permissions should be replaced
Domain: DNS name of domain


Example & Output


cscript SetGPOPermissions.wsf “Hardened Server GPO” “Server Operators” /Permission:Edit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.


Modified GPO Hardened Server GPO to give Server Operators Edit rights.


SetGPOPermissionsBySOM.wsf


This script will grant the specified permission for the security principal specified to all GPOs that are in the SOM of the site, domain, or organizational unit targeted. Complete control is allowed with this script and switches, as the replace, none, and recursive options allow you to tailor your permission and scope of the permission.


Syntax


Usage: SetGPOPermissionsBySOM.wsf SOM Group /Permission:value [/Replace] [/Recursive] [/Domain:value]
SOM: The name of the site, domain or OU to process
Group: The name of the group or user to grant permissions to
Permission: The permission to grant. Can be ‘None’, ‘Read’, ‘Apply’, ‘Edit’ or ‘FullEdit’
Replace: Replaces any existing permissions for the specified trustee. Otherwise, the script simply ensures that the trustee has at least the permission level specified
Recursive: Applies the changes to all child OUs as well
Domain: DNS name of domain


Example & Output


In this example, there is an error but it is ok, the /Recursive switch was used in the example and there was not a linked GPO in Test OU.


cscript SetGPOPermissionsBySOM.wsf Servers “Server Operators” /Permission:Read /Recursive
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.


Updating all GPOs linked to OU Servers to give Read rights to Server Operators


Updating all GPOs linked to OU Model Office to give Read rights to Server Operators
Updating permissions on linked GPO ‘Hardened Server GPO’


Updating all GPOs linked to OU Production to give Read rights to Server Operators
Updating permissions on linked GPO ‘Hardened Server GPO’


Updating all GPOs linked to OU Test to give Read rights to Server Operators
Error getting SOM CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com


SetSOMPermissions.wsf


This script targets the delegation that can be set for the Active Directory nodes where GPOs can be linked. Since this is a function that only affects the appropriate permissions, there must be a Windows Server 2003 or 2008 domain controller so the RSoP Planning permission can be leveraged.


Syntax


Usage: SetSOMPermissions.wsf SOM Group /Permission:value [/Inherit] [/Domain:value]


Options:


SOM: The name of the site, domain or OU to process
Group: The name of the group or user to grant permissions to
Permission: The permission to grant. Can be ‘LinkGPOs’, ‘RSoPLogging’, ‘RSoPPlanning’, ‘All’ or ‘None’
Inherit: Specifies the permission should be inherited by all child containers
Domain: DNS name of domain


Example & Output:


In these 2 examples, RSOPLogging was added & then RSOPPlanning was added to all of the GPOs.


cscript SetSOMPermissions.wsf Servers “server operators” /Permission:RSOPLogging /inherit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.


Added the ‘RSoP Logging Mode’ permission for server operators.


cscript SetSOMPermissions.wsf Servers “server operators” /Permission:RSOPPlanning /inherit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.


Added the ‘RSoP Planning Mode’ permission for server operators.


Summary


The GPMC scripts can save a lot of time and effort when you need to do delegations on a few GPOs and most certainly when you need to alter all GPOs in the domain. The scripts are easy to use, fully capable of managing all aspects of the GPMC delegations, and free. After you download the scripts, decide on which delegation you need to perform, launch the script, set the switches, and the rest is done for you.

About The Author

1 thought on “Scripting and Automating Custom Group Policy Delegation”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top