One-Liner: Delegate Group Policy Management

Here's a quick and easy way to delegate the management of existing Group Policy Objects in your domain.

Set-GPPermission -All -Domain "" -TargetType Group -TargetName "Domain Local - Halo GPO Edit 1" -PermissionLevel GpoEdit


What's going on here then?

-All... well, that tells Set-GPPermission to apply the new Access Control Entry (ACE) to all the GPOs in the domain

-Domain... our target domain

-TargetType... the security principal associated with the new delegated permission (User / Group / Computer)

-TargetName... the name of the security principal

-PermissionLevel... the delegated permission granted to the security principal


The values accepted by the -PermissionLevel parameter are listed below:

  • GpoApply
  • GpoEdit
  • GpoEditDeleteModifySecurity
  • GpoRead
  • None


If a permission level already exists on your GPOs for your target security principal then you can use the -Replace switch to update the existing permission with the new permission.

Here's how to set the permission on a single GPO. This time the -All parameter is replaced by -Name and the name of the target GPO is supplied. You can also use -Guid rather than -Name.

Set-GPPermission -Name "Test_GPO" -Domain "" -TargetType Group -TargetName "Domain Local - Halo GPO Read 1" -PermissionLevel GpoRead



Comments (2)

  1. Pete says:

    Thanks. But to clarify its ‘Set-GPPermissions’ not ‘Set-GPPermission’. Also don’t forget you need to run ‘import-module grouppolicy’ in powershell first.

Skip to main content