Using PowerShell, we can query who has permissions to a given GPO or a list of GPOs. We can do this either using Quest Active Roles cmdlets or by using native cmdlets that comes along with Windows 7 installation. In this post, I am going to demonstrate and show you the native method. To use the native method, you must be running one of the following:
- Windows Server 2008 R2 on a domain controller
- Windows Server 2008 R2 on a member server that has the GPMC installed
- Windows® 7 with Remote Server Administration Tools (RSAT) installed. (RSAT includes the GPMC and the Group Policy cmdlets)
GPMC(or RSAT) installation also installs a powershell module called grouppolicy using which we can query the GPOs. Before start dealing with GPOs, we should import this module by using import-module GroupPolicy command.
Below is the sample code that helps you get permissions of a give a GPO.
function Get-GPOPermissions { param($GpoName) import-module GroupPolicy $permsobj = Get-GPPermissions -Name $GPOName -All foreach ($perm in $permsobj) { $obj = New-Object -TypeName PSObject -Property @{ GPOName = $GPOName AccountName = $($perm.trustee.name) AccountType = $($perm.trustee.sidtype.tostring()) Permissions = $($perm.permission) } $obj | Select GPOName, AccountName, AccountType, Permissions } }
Below is the sample output:
Hope this helps. I will continue writing some GPO related scripts in coming days.
Comments on this entry are closed.
Thanks!
Super simple and helpfull, combined it with a small foreach loop to find if a group still had access to any GPO:s.
$GPOS = Get-GPO -all | foreach { $_.Displayname }
Foreach ($GPO in $GPOS) {
Get-GPOPermissions -GpoName $GPO | Where-Object {$_.Accountname -like “*ADM-PRINTER-*”}
}
Thx this will help me a lot !