PowerShell Logo Small

Set-GPPermission



This is the built-in help made by Microsoft for the command 'Set-GPPermission', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Grants a level of permissions to a security principal for one GPO or all the GPOs in a domain.

SYNTAX


Set-GPPermission [-DomainName <String>] [-Replace] [-Server <String>] -Guid <Guid> -PermissionLevel <GPPermissionType> -TargetName <String> -TargetType
<PermissionTrusteeType> [-Confirm] [-WhatIf] [<CommonParameters>]
Set-GPPermission [-DomainName <String>] [-Replace] [-Server <String>] -All -PermissionLevel <GPPermissionType> -TargetName <String> -TargetType <PermissionTrusteeType>
[-Confirm] [-WhatIf] [<CommonParameters>]
Set-GPPermission [-Name] <String> [-DomainName <String>] [-Replace] [-Server <String>] -PermissionLevel <GPPermissionType> -TargetName <String> -TargetType
<PermissionTrusteeType> [-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


Grants a level of permissions to a security principal (user, security group, or computer) for one GPO or all the GPOs in a domain. You use the TargetName and TargetType
parameters to specify a user, security group, or computer for which to set the permission level. You can use the Name or the Guid parameter to set the permission level for
the security principal on a single GPO, or you can use the All parameter to set the permission level for the security principal on all GPOs in the domain.


By default, if the security principal already has a higher permission level than the specified permission level, the change is not applied. You can specify the Replace
parameter, to remove the existing permission level from the GPO before the new permission level is set. This ensures that the existing permission level is replaced by the
new permission level.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?linkid=287735
Get-GPPermission

REMARKS

<

Examples


-------------------------- EXAMPLE 1 --------------------------

C:\PS>Set-GPPermission -Name TestGpo -TargetName "Domain Users" -TargetType Group -PermissionLevel GpoRead



Description

-----------

This command sets the permission level for the "Domain Users" security group to GpoRead for the GPO named "TestGpo". Because the Replace parameter is not specified, if the
group already has a permission level higher than GpoRead, such as GpoEdit, no action is taken.




-------------------------- EXAMPLE 2 --------------------------

C:\PS>Set-GPPermission -All -TargetName "Marketing Admins" -TargetType Group -PermissionLevel GpoEdit -Replace



Description

-----------

This command sets the permission level for the "Marketing Admins" security group to GpoEdit on all GPOs in the domain. This includes GPOs that are not linked to any site,
domain, or OU. Because the Replace parameter is specified, the new permission level overwrites the existing permissions set for the group.




-------------------------- EXAMPLE 3 --------------------------

C:\PS>Get-GPO -All | foreach-object { if($_ | Get-GPPermission -TargetName "Marketing Admins" -TargetType Group -ErrorAction SilentlyContinue) {$_ | Set-GPPermission
-Replace -PermissionLevel GpoApply -TargetName "Marketing Admins" -TargetType group }}

DisplayName : TestGPO
DomainName : contoso.com
Owner : CONTOSO\Domain Admins
Id : 24f217d4-1403-4d43-9247-d17eeedb22f0
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 3/1/2009 10:51:34 PM
ModificationTime : 3/2/2009 12:53:40 AM
UserVersion : AD Version: 8, SysVol Version: 8
ComputerVersion : AD Version: 0, SysVol Version: 0
WmiFilter :


DisplayName : TestGPO-1
DomainName : contoso.com
Owner : CONTOSO\Domain Admins
Id : fe2f7402-101b-4b3c-87e4-85d3f47735cb
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 3/1/2009 7:22:03 PM
ModificationTime : 3/2/2009 12:53:54 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 0, SysVol Version: 0
WmiFilter :



Description

-----------

This command replaces the current permission level of the "Marketing Admins" security group with GpoApply for all GPOs on which the group has permissions. The command
returns each GPO for which the new permission level is set.

First, Get-GPO is used to retrieve all the GPOs in the domain (Get-GPO -All). Then, the collection is piped into the foreach-object command. As each GPO is evaluated, it is
piped into Get-GPPermissions. If a permission level for the "Marketing Admins" group is returned, the GPO is piped into Set-gppermission to set the permission level for the
group. The Replace parameter is specified to make sure that the previous permission level is overwritten.

Note: The ErrorAction parameter is set to SilentlyContinue for Get-GPPermissions. This is because a non-terminating error occurs if the specified security principal does not
have permissions on the GPO. Specifying the ErrorAction as SilentlyContinue prevents the error messages from being printed for GPOS on which the security principal does not
have permissions. For more information about the ErrorAction parameter, see about_CommonParameters.