Delegations for GPOs

Before you can start scripting and automating the delegation for GPOs, it is important to know what options you have. All of the delegations that are listed below can be set using the GPMC, but that approach can be time consuming. For GPO management, you have the following options:

Creating GPOs

This is a task that is delegated for the entire domain, but is configured at the Group Policy Objects node within the GPMC, as shown in Figure 1.

Figure 1: The creation of GPOs is a domain centric delegation

Linking GPOs

The ability to link a GPO to a node in Active Directory is a powerful capability. Once the GPO is linked, the objects under the node (domain, site, or organizational unit) will automatically start to receive the policy settings in the linked GPOs. Figure 2 illustrates the delegation options for linking GPOs to a node.

Figure 2: Linking GPOs is delegated at the Site, domain, or organizational unit level

Edit and FullEdit of GPOs

The ability to edit a GPO has a tremendous amount of power, especially if that GPO is already linked to a node in Active Directory. Therefore, controlling who can edit GPOs is key. There are two levels of editing, one which also comes with deleting and modifying the security for the GPO. These delegations are done at the GPO level, as shown in Figure 3.

Figure 3: Editing and managing (FullEdit) GPOs is delegated on a GPO by GPO basis

Using GPMC Scripts to Automate GPO Security Delegation

The GPMC scripts allow you to make the same modifications to GPO security that the GPMC GUI does, it is just you can accomplish larger tasks faster. For example, assume you have just installed the Advanced Group Policy Management (AGPM) from Microsoft. Before you can use AGPM, you must alter the permissions on all of the GPOs within the GPMC to ensure that administrators don’t have the ability to edit them through the GPMC. If this is not done, the GPO that is in production (shown in GPMC) can easily get out of synch with the GPO that you import into the AGPM environment. To remove and reset the permissions for a lot of GPOs to accomplish this is a tedious task. However, with the GrantPermissionOnAllGPOs.wsf script, the task is done quickly! The other GPMC scripts do similar functions, as described below.

Note
For more information on AGPM, refer to Windows Vista for the Enterprise.

Note
To download the GPMC scripts, go to Group Policy Management Console Sample Scripts.

GrantPermissionOnAllGPOs.wsf

This script will grant the specified permission to a user or group for all GPOs in the domain. This will occur to the GPO even if it is not linked to an Active Directory node. The replace switch is very useful, as it can remove the existing permissions and replace with new permissions. If a permission is specified for a security group that already exists on the permission list for the GPO, the higher of the two permissions will be placed on the security group (Unless the replace switch is used).

Syntax

Usage: GrantPermissionOnAllGPOs.wsf GroupName /Permission:value [/Replace] [/Q] [/Domain:value]
GroupName: The security principal to grant permissions to
Permission: The permission level to set. Can be ‘Read’, ‘Apply’, ‘Edit’, ‘FullEdit’ or ‘None’
Replace: Specifies that any existing permissions should be replaced
Q: Quiet mode - do not display a warning before executing the script
Domain: DNS name of domain

Example

cscript GrantPermissionOnAllGPOs.wsf “GPO Admins” /Permission:Edit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Warning! By executing this script, all GPOs in the target domain will be updated with the desired security setting.

Both the Active Directory and Sysvol portions of the GPO will be updated. This will result in the Sysvol contents of every GPO being copied to all replica domain controllers, and may cause excessive replication traffic in your domain.

If you have slow network links or restricted bandwidth between your domain controllers, you should check the amount of data on the Sysvol that would be replicated before performing this task.

Do you want to proceed? [Y/N] y
Updated GPO ‘Default Domain Policy’ to ‘Edit’ for GPO Admins
Updated GPO ‘Default Domain Controllers Policy’ to ‘Edit’ for GPO Admins

SetGPOCreationPermissions.wsf

This script grants or removes the ability to create GPOs in a domain for a given security group or user.

Syntax

Usage: SetGPOCreationPermissions.wsf Group [/Remove] [/Domain:value]
Group: The security group to grant GPO creation rights to
Remove: Removes the permission instead of granting it
Domain: DNS name of domain

Example & Output

cscript SetGPOCreationPermissions.wsf “GPO Admins”
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Added ‘GPO Admins’ as having GPO creation rights in Fabrikam.com.

SetGPOPermissions.wsf

This script will set permissions on the defined GPO for the defined group. All of the other scripts will give the script’s syntax or generate the output. This script will error out if you do not define the arguments for it.

Syntax

Usage:  SetGPOPermissions.wsf:<GPOName><GroupName> /Permission:<PermissionLevel> [/Replace] [/Domain:<DNSDomainName>]
Permission: The permission level to set. Can be ‘Read’, ‘Apply’, ‘Edit’, ‘FullEdit’ or ‘None’
Replace: Specifies that any existing permissions should be replaced
Domain: DNS name of domain

Example & Output

cscript SetGPOPermissions.wsf “Hardened Server GPO” “Server Operators” /Permission:Edit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Modified GPO Hardened Server GPO to give Server Operators Edit rights.

SetGPOPermissionsBySOM.wsf

This script will grant the specified permission for the security principal specified to all GPOs that are in the SOM of the site, domain, or organizational unit targeted. Complete control is allowed with this script and switches, as the replace, none, and recursive options allow you to tailor your permission and scope of the permission.

Syntax

Usage: SetGPOPermissionsBySOM.wsf SOM Group /Permission:value [/Replace] [/Recursive] [/Domain:value]
SOM: The name of the site, domain or OU to process
Group: The name of the group or user to grant permissions to
Permission: The permission to grant. Can be ‘None’, ‘Read’, ‘Apply’, ‘Edit’ or ‘FullEdit’
Replace: Replaces any existing permissions for the specified trustee. Otherwise, the script simply ensures that the trustee has at least the permission level specified
Recursive: Applies the changes to all child OUs as well
Domain: DNS name of domain

Example & Output

In this example, there is an error but it is ok, the /Recursive switch was used in the example and there was not a linked GPO in Test OU.

cscript SetGPOPermissionsBySOM.wsf Servers “Server Operators” /Permission:Read /Recursive
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Updating all GPOs linked to OU Servers to give Read rights to Server Operators

Updating all GPOs linked to OU Model Office to give Read rights to Server Operators
Updating permissions on linked GPO ‘Hardened Server GPO’

Updating all GPOs linked to OU Production to give Read rights to Server Operators
Updating permissions on linked GPO ‘Hardened Server GPO’

Updating all GPOs linked to OU Test to give Read rights to Server Operators
Error getting SOM CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Fabrikam,DC=com

SetSOMPermissions.wsf

This script targets the delegation that can be set for the Active Directory nodes where GPOs can be linked. Since this is a function that only affects the appropriate permissions, there must be a Windows Server 2003 or 2008 domain controller so the RSoP Planning permission can be leveraged.

Syntax

Usage: SetSOMPermissions.wsf SOM Group /Permission:value [/Inherit] [/Domain:value]

Options:

SOM: The name of the site, domain or OU to process
Group: The name of the group or user to grant permissions to
Permission: The permission to grant. Can be ‘LinkGPOs’, ‘RSoPLogging’, ‘RSoPPlanning’, ‘All’ or ‘None’
Inherit: Specifies the permission should be inherited by all child containers
Domain: DNS name of domain

Example & Output:

In these 2 examples, RSOPLogging was added & then RSOPPlanning was added to all of the GPOs.

cscript SetSOMPermissions.wsf Servers “server operators” /Permission:RSOPLogging /inherit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Added the ‘RSoP Logging Mode’ permission for server operators.

cscript SetSOMPermissions.wsf Servers “server operators” /Permission:RSOPPlanning /inherit
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

Added the ‘RSoP Planning Mode’ permission for server operators.( Derek Melber)

Popularity: 7% [?]