≡ Menu

How to get Group Policy permissions using powershell

Using PowerShell, we can query who has permissions to a given GPO or a list of GPOs. We can do this either using Quest Active Roles cmdlets or by using native cmdlets that comes along with Windows 7 installation. In this post, I am going to demonstrate and show you the native method. To use the native method, you must be running one of the following:

  • Windows Server 2008 R2 on a domain controller
  • Windows Server 2008 R2 on a member server that has the GPMC installed
  • Windows® 7 with Remote Server Administration Tools (RSAT) installed. (RSAT includes the GPMC and the Group Policy cmdlets)

GPMC(or RSAT) installation also installs a powershell module called grouppolicy using which we can query the GPOs. Before start dealing with GPOs, we should import this module by using import-module GroupPolicy command.

Below is the sample code that helps you get permissions of a give a GPO.

function Get-GPOPermissions {            

import-module GroupPolicy            

$permsobj = Get-GPPermissions -Name $GPOName -All
foreach ($perm in $permsobj) {            

    $obj = New-Object -TypeName PSObject -Property @{
   GPOName  = $GPOName
   AccountName = $($perm.trustee.name)
        AccountType = $($perm.trustee.sidtype.tostring())
        Permissions = $($perm.permission)
$obj | Select GPOName, AccountName, AccountType, Permissions            


Below is the sample output:

Hope this helps. I will continue writing some GPO related scripts in coming days.



Comments on this entry are closed.

  • Tom LaLumiere November 12, 2014, 3:02 am


  • Sigge May 7, 2019, 8:15 pm

    Super simple and helpfull, combined it with a small foreach loop to find if a group still had access to any GPO:s.

    $GPOS = Get-GPO -all | foreach { $_.Displayname }

    Foreach ($GPO in $GPOS) {
    Get-GPOPermissions -GpoName $GPO | Where-Object {$_.Accountname -like “*ADM-PRINTER-*”}

  • kurty-gaming October 19, 2021, 1:21 pm

    Thx this will help me a lot !