One-Liner: Delegate Group Policy Management

Here's a quick and easy way to delegate the management of existing Group Policy Objects in your domain.

Set-GPPermission -All -Domain "halo.net" -TargetType Group -TargetName "Domain Local - Halo GPO Edit 1" -PermissionLevel GpoEdit

What's going on here then?

-All... well, that tells Set-GPPermission to apply the new Access Control Entry (ACE) to all the GPOs in the domain

-Domain... our target domain

-TargetType... the security principal associated with the new delegated permission (User / Group / Computer)

-TargetName... the name of the security principal

-PermissionLevel... the delegated permission granted to the security principal

The values accepted by the -PermissionLevel parameter are listed below:

• GpoApply
• GpoEdit
• GpoEditDeleteModifySecurity
• GpoRead
• None

If a permission level already exists on your GPOs for your target security principal then you can use the -Replace switch to update the existing permission with the new permission.

Here's how to set the permission on a single GPO. This time the -All parameter is replaced by -Name and the name of the target GPO is supplied. You can also use -Guid rather than -Name.

Set-GPPermission -Name "Test_GPO" -Domain "halo.net" -TargetType Group -TargetName "Domain Local - Halo GPO Read 1" -PermissionLevel GpoRead

TTFN!